|
var-201406-0445
|
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. OpenSSL is prone to security-bypass vulnerability.
Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.
Versions prior to OpenSSL 1.0.1 and 1.0.2-beta1 are vulnerable.
HP Connect IT / HP SPM CIT - 9.5x
Please install: HP Connect IT 9.53.P2
For Windows
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00070
For Linux
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00071
For AIX
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00072
For HPUX
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00073
For Solaris
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00074
HP Connect IT / HP SPM CIT - 9.4x
Please install: HP Connect IT 9.40.P1
For windows(en)
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00075
For Linux(en)
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00076
For AIX(en)
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00077
For HPUX(en)
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00078
For Solaris(en)
http://support.openview.hp.com/selfsolve/document/LID/HPCIT_00079
HP Connect IT / HP SPM AM 5.2x
Please install: HP Connect IT 9.41.P1
HISTORY
Version:1 (rev.1) - 19 August 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy. ============================================================================
Ubuntu Security Notice USN-2232-3
June 23, 2014
openssl regression
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
USN-2232-1 introduced a regression in OpenSSL. The upstream fix for
CVE-2014-0224 caused a regression for certain applications that use
renegotiation, such as PostgreSQL. This update fixes the problem.
Original advisory details:
J=C3=BCri Aedla discovered that OpenSSL incorrectly handled invalid DTLS
fragments. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and
Ubuntu 14.04 LTS. (CVE-2014-0195)
Imre Rad discovered that OpenSSL incorrectly handled DTLS recursions. A
remote attacker could use this issue to cause OpenSSL to crash, resulting
in a denial of service. (CVE-2014-0221)
KIKUCHI Masashi discovered that OpenSSL incorrectly handled certain
handshakes.
(CVE-2014-0224)
Felix Gr=C3=B6bert and Ivan Fratri=C4=87 discovered that OpenSSL incorrectly handled
anonymous ECDH ciphersuites. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service. This issue only
affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS.
(CVE-2014-3470)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.4
Ubuntu 13.10:
libssl1.0.0 1.0.1e-3ubuntu1.6
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.16
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.19
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2232-3
http://www.ubuntu.com/usn/usn-2232-1
https://launchpad.net/bugs/1332643
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.4
https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.6
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.16
https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.19
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201407-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: OpenSSL: Multiple vulnerabilities
Date: July 27, 2014
Bugs: #512506
ID: 201407-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in OpenSSL, possibly allowing
remote attackers to execute arbitrary code.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.1h-r1 *>= 0.9.8z_p5
*>= 0.9.8z_p4
*>= 0.9.8z_p1
*>= 0.9.8z_p3
*>= 0.9.8z_p2
*>= 1.0.0m
>= 1.0.1h-r1
Description
===========
Multiple vulnerabilities have been discovered in OpenSSL.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1h-r1"
References
==========
[ 1 ] CVE-2010-5298
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5298
[ 2 ] CVE-2014-0195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0195
[ 3 ] CVE-2014-0198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0198
[ 4 ] CVE-2014-0221
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0221
[ 5 ] CVE-2014-0224
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0224
[ 6 ] CVE-2014-3470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3470
[ 7 ] OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201407-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. The bulletin does not apply to any other 3rd party application
(e.g. operating system, web server, or application server) that may be
required to be installed by the customer according instructions in the
product install guide. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04347622
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04347622
Version: 1
HPSBHF03052 rev.1 - HP Intelligent Management Center (iMC), HP Network
Products including H3C and 3COM Routers and Switches running OpenSSL, Remote
Denial of Service (DoS), Code Execution, Unauthorized Access, Modification or
Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-06-20
Last Updated: 2014-06-20
Potential Security Impact: Remote Denial of Service (DoS), code execution,
unauthorized access, modification of information, disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Intelligent
Management Center (iMC), HP Network Products including 3COM and H3C routers
and switches running OpenSSL. The vulnerabilities could be exploited remotely
to create a Denial of Service (DoS), execute code, allow unauthorized access,
modify or disclose information.
References:
CVE-2010-5298 Remote Denial of Service (DoS) or Modification of Information
CVE-2014-0198 Remote Unauthorized Access (only iMC impacted)
CVE-2014-0224 Remote Unauthorized Access or Disclosure of Information
SSRT101561
Note: All products listed are impacted by CVE-2014-0224 . iMC is also
impacted by CVE-2014-0198 and CVE-2010-5298
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION
section below for a list of impacted products.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-5298 (AV:N/AC:H/Au:N/C:N/I:P/A:P) 4.0
CVE-2014-0198 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-0224 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
On June 5th 2014, OpenSSL.org issued an advisory with several CVE
vulnerabilities. HP Networking is working to release fixes for these
vulnerabilities that impact the products in the table below. As fixed
software is made available, this security bulletin will be updated to show
the fixed versions. Until the software fixes are available, HP Networking is
providing the following information including possible workarounds to
mitigate the risks of these vulnerabilities.
Description
The most serious issue reported is CVE-2014-0224 and it is the one discussed
here. To take advantage CVE-2014-0224, an attacker must:
be in between the OpenSSL client and OpenSSL server.
be capable of intercepting and modifying packets between the OpenSSL client
and OpenSSL server in real time.
Workarounds
HP Networking equipment is typically deployed inside firewalls and access to
management interfaces and other protocols is more tightly controlled than in
public environments. This deployment and security restrictions help to reduce
the possibility of an attacker being able to intercept both OpenSSL client
and OpenSSL server traffic.
Following the guidelines in the Hardening Comware-based devices can help to
further reduce man-in-the-middle opportunities:
http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=c03536
920
For an HP Networking device acting as an OpenSSL Server, using a patched
OpenSSL client or non-OpenSSL client eliminates the risk. As an example, most
modern web browsers do not use the OpenSSL client and the sessions between
the HP Networking OpenSSL server and the non-OpenSSL client are not at risk
for this attack. For HP Networking Equipment that is using an OpenSSL client,
patching the OpenSSL server will eliminate the risk of this attack.
Protocol Notes
The following details the protocols that use OpenSSL in Comware v5 and
Comware v7:
Comware V7:
Server:
FIPS/HTTPS/Load Balancing/Session Initiation Protocol
Client:
Load Balancing/OpenFlow/Session Initiation Protocol/State Machine Based
Anti-Spoofing/Dynamic DNS
Comware V5:
Server:
CAPWAP/EAP/SSLVPN
Client:
Dynamic DNS
Family
Fixed Version
HP Branded Products Impacted
H3C Branded Products Impacted
3Com Branded Products Impacted
12900 Switch Series
Fix in progress
use mitigations
JG619A HP FF 12910 Switch AC Chassis
JG621A HP FF 12910 Main Processing Unit
JG632A HP FF 12916 Switch AC Chassis
JG634A HP FF 12916 Main Processing Unit
12500
Fix in progress
use mitigations
JC085A HP A12518 Switch Chassis
JC086A HP A12508 Switch Chassis
JC652A HP 12508 DC Switch Chassis
JC653A HP 12518 DC Switch Chassis
JC654A HP 12504 AC Switch Chassis
JC655A HP 12504 DC Switch Chassis
JF430A HP A12518 Switch Chassis
JF430B HP 12518 Switch Chassis
JF430C HP 12518 AC Switch Chassis
JF431A HP A12508 Switch Chassis
JF431B HP 12508 Switch Chassis
JF431C HP 12508 AC Switch Chassis
JC072B HP 12500 Main Processing Unit
JC808A HP 12500 TAA Main Processing Unit
H3C S12508 Routing Switch(AC-1) (0235A0GE)
H3C S12518 Routing Switch(AC-1) (0235A0GF)
H3C S12508 Chassis (0235A0E6)
H3C S12508 Chassis (0235A38N)
H3C S12518 Chassis (0235A0E7)
H3C S12518 Chassis (0235A38M)
12500 (Comware v7)
Fix in progress
use mitigations
JC085A HP A12518 Switch Chassis
JC086A HP A12508 Switch Chassis
JC652A HP 12508 DC Switch Chassis
JC653A HP 12518 DC Switch Chassis
JC654A HP 12504 AC Switch Chassis
JC655A HP 12504 DC Switch Chassis
JF430A HP A12518 Switch Chassis
JF430B HP 12518 Switch Chassis
JF430C HP 12518 AC Switch Chassis
JF431A HP A12508 Switch Chassis
JF431B HP 12508 Switch Chassis
JF431C HP 12508 AC Switch Chassis
JC072B HP 12500 Main Processing Unit
JG497A HP 12500 MPU w/Comware V7 OS
JG782A HP FF 12508E AC Switch Chassis
JG783A HP FF 12508E DC Switch Chassis
JG784A HP FF 12518E AC Switch Chassis
JG785A HP FF 12518E DC Switch Chassis
JG802A HP FF 12500E MPU
H3C S12508 Routing Switch(AC-1) (0235A0GE)
H3C S12518 Routing Switch(AC-1) (0235A0GF)
H3C S12508 Chassis (0235A0E6)
H3C S12508 Chassis (0235A38N)
H3C S12518 Chassis (0235A0E7)
H3C S12518 Chassis (0235A38M)
11900 Switch Series
Fix in progress
use mitigations
JG608A HP FF 11908-V Switch Chassis
JG609A HP FF 11900 Main Processing Unit
10500 Switch Series (Comware v5)
Fix in progress
use mitigations
JC611A HP 10508-V Switch Chassis
JC612A HP 10508 Switch Chassis
JC613A HP 10504 Switch Chassis
JC614A HP 10500 Main Processing Unit
JC748A HP 10512 Switch Chassis
JG375A HP 10500 TAA Main Processing Unit
JG820A HP 10504 TAA Switch Chassis
JG821A HP 10508 TAA Switch Chassis
JG822A HP 10508-V TAA Switch Chassis
JG823A HP 10512 TAA Switch Chassis
10500 Switch Series (Comware v7)
Fix in progress
use mitigations
JC611A HP 10508-V Switch Chassis
JC612A HP 10508 Switch Chassis
JC613A HP 10504 Switch Chassis
JC748A HP 10512 Switch Chassis
JG820A HP 10504 TAA Switch Chassis
JG821A HP 10508 TAA Switch Chassis
JG822A HP 10508-V TAA Switch Chassis
JG823A HP 10512 TAA Switch Chassis
JG496A HP 10500 Type A MPU w/Comware v7 OS
9500E
Fix in progress
use mitigations
JC124A HP A9508 Switch Chassis
JC124B HP 9505 Switch Chassis
JC125A HP A9512 Switch Chassis
JC125B HP 9512 Switch Chassis
JC474A HP A9508-V Switch Chassis
JC474B HP 9508-V Switch Chassis
H3C S9505E Routing-Switch Chassis (0235A0G6)
H3C S9508E-V Routing-Switch Chassis (0235A38Q)
H3C S9512E Routing-Switch Chassis (0235A0G7)
H3C S9508E-V Routing-Switch Chassis (0235A38Q)
H3C S9505E Chassis w/ Fans (0235A38P)
H3C S9512E Chassis w/ Fans (0235A38R)
Router 8800
Fix in progress
use mitigations
JC147A HP A8802 Router Chassis
JC147B HP 8802 Router Chassis
JC148A HP A8805 Router Chassis
JC148B HP 8805 Router Chassis
JC149A HP A8808 Router Chassis
JC149B HP 8808 Router Chassis
JC150A HP A8812 Router Chassis
JC150B HP 8812 Router Chassis
JC141A HP 8802 Main Control Unit Module
JC138A HP 8805/08/12 (1E) Main Cntrl Unit Mod
JC137A HP 8805/08/12 (2E) Main Cntrl Unit Mod
H3C SR8805 10G Core Router Chassis (0235A0G8)
H3C SR8808 10G Core Router Chassis (0235A0G9)
H3C SR8812 10G Core Router Chassis (0235A0GA)
H3C SR8802 10G Core Router Chassis (0235A0GC)
H3C SR8802 10G Core Router Chassis (0235A31B)
H3C SR8805 10G Core Router Chassis (0235A31C)
H3C SR8808 10G Core Router Chassis (0235A31D)
H3C SR8812 10G Core Router Chassis (0235A31E)
7500 Switch Series
Fix in progress
use mitigations
JC666A HP A7503-S 144 Gbps Fab/MPU w 24p Gig-T
JC697A HP A7502 TAA Main Processing Unit
JC698A HP A7503S 144 Gbps TAA Fab/MPU w 24p GbE
JC699A HP A7500 384Gbps TAA Fab/MPU w 2p 10-GbE
JC700A HP A7500 384 Gbps TAA Fabric / MPU
JC701A HP A7510 768 Gbps TAA Fabric / MPU
JD193A HP 384 Gbps A7500 Fab Mod w/2 XFP Ports
JD193B HP 7500 384Gbps Fab Mod w/2 XFP Ports
JD194A HP 384 Gbps Fabric A7500 Module
JD194B HP 7500 384Gbps Fabric Module
JD195A HP 7500 384Gbps Advanced Fabric Module
JD196A HP 7502 Fabric Module
JD220A HP 7500 768Gbps Fabric Module
JD238A HP A7510 Switch Chassis
JD238B HP 7510 Switch Chassis
JD239A HP A7506 Switch Chassis
JD239B HP 7506 Switch Chassis
JD240A HP A7503 Switch Chassis
JD240B HP 7503 Switch Chassis
JD241A HP A7506 Vertical Switch Chassis
JD241B HP 7506-V Switch Chassis
JD242A HP A7502 Switch Chassis
JD242B HP 7502 Switch Chassis
JD243A HP A7503 Switch Chassis w/1 Fabric Slot
JD243B HP 7503-S Switch Chassis w/1 Fabric Slot
H3C S7502E Ethernet Switch Chassis with Fan (0235A0G4)
H3C S7503E Ethernet Switch Chassis with Fan (0235A0G2)
H3C S7503E-S Ethernet Switch Chassis with Fan (0235A0G5)
H3C S7506E Ethernet Switch Chassis with Fan (0235A0G1)
H3C S7506E-V Ethernet Switch Chassis with Fan (0235A0G3)
H3C S7510E Ethernet Switch Chassis with Fan (0235A0G0)
H3C S7502E Chassis w/ fans (0235A29A)
H3C S7503E Chassis w/ fans (0235A27R)
H3C S7503E-S Chassis w/ fans (0235A33R)
H3C S7506E Chassis w/ fans (0235A27Q)
H3C S7506E-V Chassis w/ fans (0235A27S)
HSR6800
Fix in progress
use mitigations
JG361A HP HSR6802 Router Chassis
JG362A HP HSR6804 Router Chassis
JG363A HP HSR6808 Router Chassis
JG364A HP HSR6800 RSE-X2 Router MPU
JG779A HP HSR6800 RSE-X2 Router TAA MPU
HSR6800 Russian Version
Fix in progress
use mitigations
JG361A HP HSR6802 Router Chassis
JG362A HP HSR6804 Router Chassis
JG363A HP HSR6808 Router Chassis
JG364A HP HSR6800 RSE-X2 Router MPU
JG779A HP HSR6800 RSE-X2 Router TAA MPU
HSR6602
Fix in progress
use mitigations
JG353A HP HSR6602-G Router
JG354A HP HSR6602-XG Router
JG776A HP HSR6602-G TAA Router
JG777A HP HSR6602-XG TAA Router
HSR6602 Russian Version
Fix in progress
use mitigations
JG353A HP HSR6602-G Router
JG354A HP HSR6602-XG Router
JG776A HP HSR6602-G TAA Router
JG777A HP HSR6602-XG TAA Router
A6600
Fix in progress
use mitigations
JC177A HP 6608 Router
JC177B HP A6608 Router Chassis
JC178A HP 6604 Router Chassis
JC178B HP A6604 Router Chassis
JC496A HP 6616 Router Chassis
JC566A HP A6600 RSE-X1 Main Processing Unit
JG780A HP 6600 RSE-X1 Router TAA MPU
H3C RT-SR6608-OVS-H3 (0235A32X)
H3C RT-SR6604-OVS-H3 (0235A37X)
H3C SR6616 Router Chassis (0235A41D)
A6600 Russian Version
Fix in progress
use mitigations
JC177A HP 6608 Router
JC177B HP A6608 Router Chassis
JC178A HP 6604 Router Chassis
JC178B HP A6604 Router Chassis
JC496A HP 6616 Router Chassis
JC566A HP A6600 RSE-X1 Main Processing Unit
JG780A HP 6600 RSE-X1 Router TAA MPU
H3C RT-SR6608-OVS-H3 (0235A32X)
H3C RT-SR6604-OVS-H3 (0235A37X)
H3C SR6616 Router Chassis (0235A41D)
6600 MCP
Fix in progress
use mitigations
JC177A HP 6608 Router
JC177B HP A6608 Router Chassis
JC178A HP 6604 Router Chassis
JC178B HP A6604 Router Chassis
JC496A HP 6616 Router Chassis
JG778A HP 6600 MCP-X2 Router TAA MPU. JG355A HP 6600 MCP-X1 Router MPU
JG356A HP 6600 MCP-X2 Router MPU
H3C RT-SR6608-OVS-H3 (0235A32X)
H3C RT-SR6604-OVS-H3 (0235A37X)
H3C SR6616 Router Chassis (0235A41D)
6600 MCP Russian Version
Fix in progress
use mitigations
JC177A HP 6608 Router
JC177B HP A6608 Router Chassis
JC178A HP 6604 Router Chassis
JC178B HP A6604 Router Chassis
JC496A HP 6616 Router Chassis
JG778A HP 6600 MCP-X2 Router TAA MPU
JG355A HP 6600 MCP-X1 Router MPU
JG356A HP 6600 MCP-X2 Router MPU
H3C RT-SR6608-OVS-H3 (0235A32X)
H3C RT-SR6604-OVS-H3 (0235A37X)
H3C SR6616 Router Chassis (0235A41D)
5920 Switch Series
Fix in progress
use mitigations
JG296A HP 5920AF-24XG Switch
JG555A HP 5920AF-24XG TAA Switch
5900 Switch Series
Fix in progress
use mitigations
JC772A HP 5900AF-48XG-4QSFP+ Switch
JG336A HP 5900AF-48XGT-4QSFP+ Switch
JG510A HP 5900AF-48G-4XG-2QSFP+ Switch
JG554A HP 5900AF-48XG-4QSFP+ TAA Switch
JG838A HP FF 5900CP-48XG-4QSFP+ Switch
5900 Virtual Switch
Fix in progress
use mitigations
JG814AAE HP Virtual Switch 5900v VMware E-LTU
JG815AAE HP VSO SW for 5900v VMware E-LTU
5830 Switch Series
Fix in progress
use mitigations
JC691A HP A5830AF-48G Switch w/1 Interface Slot
JC694A HP A5830AF-96G Switch
JG316A HP 5830AF-48G TAA Switch w/1 Intf Slot
JG374A HP 5830AF-96G TAA Switch
5820 Switch Series
Fix in progress
use mitigations
JC102A HP 5820-24XG-SFP+ Switch
JC106A HP 5820-14XG-SFP+ Switch with 2 Slots
JG219A HP 5820AF-24XG Switch
JG243A HP 5820-24XG-SFP+ TAA-compliant Switch
JG259A HP 5820X-14XG-SFP+ TAA Switch w 2 Slots
H3C S5820X-28C 14 port (SFP Plus ) Plus 4-port BT (RJ45) Plus 2 media
modules Plus OSM (0235A37L)
H3C S5820X-28S 24-port 10GBASE-X (SFP Plus ) Plus 4-port 10/100/1000BASE-T
(RJ45) (0235A370)
5800 Switch Series
Fix in progress
use mitigations
JC099A HP 5800-24G-PoE Switch
JC100A HP 5800-24G Switch
JC101A HP 5800-48G Switch with 2 Slots
JC103A HP 5800-24G-SFP Switch
JC104A HP 5800-48G-PoE Switch
JC105A HP 5800-48G Switch
JG225A HP 5800AF-48G Switch
JG242A HP 5800-48G-PoE+ TAA Switch w 2 Slots
JG254A HP 5800-24G-PoE+ TAA-compliant Switch
JG255A HP 5800-24G TAA-compliant Switch
JG256A HP 5800-24G-SFP TAA Switch w 1 Intf Slt
JG257A HP 5800-48G-PoE+ TAA Switch with 1 Slot
JG258A HP 5800-48G TAA Switch w 1 Intf Slot
H3C S5800-32C - 24-port 1BT Plus 4-port (SFP Plus ) Plus 1 media slot
(0235A36U)
H3C S5800-32C-PWR - 24-port 10/100/1000BASE-T (RJ45) Plus 4-port 10GBASE-X
(SFP Plus ) Plus 1 media module PoE (0235A36S)
H3C S5800-32F 24-port 1000BASE-X (SFP) Plus 4-port 10GBASE-X (SFP Plus ) Plus
media module (no power) (0235A374)
H3C S5800-56C 48-port 10/100/1000BASE-T (RJ45) Plus 4port 10GBASE-X (SFP Plus
) Plus media module (0235A379)
H3C S5800-56C-PWR 48-port BT Plus 4 port (SFP Plus ) Plus media module
(0235A378)
H3C S5800-60C-PWR 48-port BT Plus 4-port SFP Plus 2 media modules Plus OSM
(0235A36W)
5500 HI Switch Series
Fix in progress
use mitigations
JG311A HP HI 5500-24G-4SFP w/2 Intf Slts Switch
JG312A HP HI 5500-48G-4SFP w/2 Intf Slts Switch
JG541A HP 5500-24G-PoE+-4SFP HI Switch w/2 Slt
JG542A HP 5500-48G-PoE+-4SFP HI Switch w/2 Slt
JG543A HP 5500-24G-SFP HI Switch w/2 Intf Slt
JG679A HP 5500-24G-PoE+-4SFP HI TAA Swch w/2Slt
JG680A HP 5500-48G-PoE+-4SFP HI TAA Swch w/2Slt
JG681A HP 5500-24G-SFP HI TAA Swch w/2Slt
5500 EI Switch Series
Fix in progress
use mitigations
JD373A HP 5500-24G DC EI Switch
JD374A HP 5500-24G-SFP EI Switch
JD375A HP 5500-48G EI Switch
JD376A HP 5500-48G-PoE EI Switch
JD377A HP 5500-24G EI Switch
JD378A HP 5500-24G-PoE EI Switch
JD379A HP 5500-24G-SFP DC EI Switch
JG240A HP 5500-48G-PoE+ EI Switch w/2 Intf Slts
JG241A HP 5500-24G-PoE+ EI Switch w/2 Intf Slts
JG249A HP 5500-24G-SFP EI TAA Switch w 2 Slts
JG250A HP 5500-24G EI TAA Switch w 2 Intf Slts
JG251A HP 5500-48G EI TAA Switch w 2 Intf Slts
JG252A HP 5500-24G-PoE+ EI TAA Switch w/2 Slts
JG253A HP 5500-48G-PoE+ EI TAA Switch w/2 Slts
H3C S5500-28C-EI Ethernet Switch (0235A253)
H3C S5500-28F-EI Eth Switch AC Single (0235A24U)
H3C S5500-52C-EI Ethernet Switch (0235A24X)
H3C S5500-28C-EI-DC Ethernet Switch (0235A24S)
H3C S5500-28C-PWR-EI Ethernet Switch (0235A255)
H3C S5500-28F-EI Eth Swtch DC Single Pwr (0235A259)
H3C S5500-52C-PWR-EI Ethernet Switch (0235A251)
5500 SI Switch Series
Fix in progress
use mitigations
JD369A HP 5500-24G SI Switch
JD370A HP 5500-48G SI Switch
JD371A HP 5500-24G-PoE SI Switch
JD372A HP 5500-48G-PoE SI Switch
JG238A HP 5500-24G-PoE+ SI Switch w/2 Intf Slts
JG239A HP 5500-48G-PoE+ SI Switch w/2 Intf Slts
H3C S5500-28C-SI Ethernet Switch (0235A04U)
H3C S5500-52C-SI Ethernet Switch (0235A04V)
H3C S5500-28C-PWR-SI Ethernet Switch (0235A05H)
H3C S5500-52C-PWR-SI Ethernet Switch (0235A05J)
5120 EI Switch Series
Fix in progress
use mitigations
JE066A HP 5120-24G EI Switch
JE067A HP 5120-48G EI Switch
JE068A HP 5120-24G EI Switch with 2 Slots
JE069A HP 5120-48G EI Switch with 2 Slots
JE070A HP 5120-24G-PoE EI Switch with 2 Slots
JE071A HP 5120-48G-PoE EI Switch with 2 Slots
JG236A HP 5120-24G-PoE+ EI Switch w/2 Intf Slts
JG237A HP 5120-48G-PoE+ EI Switch w/2 Intf Slts
JG245A HP 5120-24G EI TAA Switch w 2 Intf Slts
JG246A HP 5120-48G EI TAA Switch w 2 Intf Slts
JG247A HP 5120-24G-PoE+ EI TAA Switch w 2 Slts
JG248A HP 5120-48G-PoE+ EI TAA Switch w 2 Slts
H3C S5120-24P-EI 24GE Plus 4ComboSFP (0235A0BQ)
H3C S5120-28C-EI 24GE Plus 4Combo Plus 2Slt (0235A0BS)
H3C S5120-48P-EI 48GE Plus 4ComboSFP (0235A0BR)
H3C S5120-52C-EI 48GE Plus 4Combo Plus 2Slt (0235A0BT)
H3C S5120-28C-PWR-EI 24G Plus 4C Plus 2S Plus POE (0235A0BU)
H3C S5120-52C-PWR-EI 48G Plus 4C Plus 2S Plus POE (0235A0BV)
5120 SI switch Series
Fix in progress
use mitigations
JE072A HP 5120-48G SI Switch
JE073A HP 5120-16G SI Switch
JE074A HP 5120-24G SI Switch
JG091A HP 5120-24G-PoE+ (370W) SI Switch
JG092A HP 5120-24G-PoE+ (170W) SI Switch
H3C S5120-52P-SI 48GE Plus 4 SFP (0235A41W)
H3C S5120-20P-SI L2
16GE Plus 4SFP (0235A42B)
H3C S5120-28P-SI 24GE Plus 4 SFP (0235A42D)
H3C S5120-28P-HPWR-SI (0235A0E5)
H3C S5120-28P-PWR-SI (0235A0E3)
4800 G Switch Series
Fix in progress
use mitigations
JD007A HP 4800-24G Switch
JD008A HP 4800-24G-PoE Switch
JD009A HP 4800-24G-SFP Switch
JD010A HP 4800-48G Switch
JD011A HP 4800-48G-PoE Switch
3Com Switch 4800G 24-Port (3CRS48G-24-91)
3Com Switch 4800G 24-Port SFP (3CRS48G-24S-91)
3Com Switch 4800G 48-Port (3CRS48G-48-91)
3Com Switch 4800G PWR 24-Port (3CRS48G-24P-91)
3Com Switch 4800G PWR 48-Port (3CRS48G-48P-91)
4510G Switch Series
Fix in progress
use mitigations
JF428A HP 4510-48G Switch
JF847A HP 4510-24G Switch
3Com Switch 4510G 48 Port (3CRS45G-48-91)
3Com Switch 4510G PWR 24-Port (3CRS45G-24P-91)
3Com Switch E4510-24G (3CRS45G-24-91)
4210G Switch Series
Fix in progress
use mitigations
JF844A HP 4210-24G Switch
JF845A HP 4210-48G Switch
JF846A HP 4210-24G-PoE Switch
3Com Switch 4210-24G (3CRS42G-24-91)
3Com Switch 4210-48G (3CRS42G-48-91)
3Com Switch E4210-24G-PoE (3CRS42G-24P-91)
3610 Switch Series
Fix in progress
use mitigations
JD335A HP 3610-48 Switch
JD336A HP 3610-24-4G-SFP Switch
JD337A HP 3610-24-2G-2G-SFP Switch
JD338A HP 3610-24-SFP Switch
H3C S3610-52P - model LS-3610-52P-OVS (0235A22C)
H3C S3610-28P - model LS-3610-28P-OVS (0235A22D)
H3C S3610-28TP - model LS-3610-28TP-OVS (0235A22E)
H3C S3610-28F - model LS-3610-28F-OVS (0235A22F)
3600 V2 Switch Series
Fix in progress
use mitigations
JG299A HP 3600-24 v2 EI Switch
JG300A HP 3600-48 v2 EI Switch
JG301A HP 3600-24-PoE+ v2 EI Switch
JG301B HP 3600-24-PoE+ v2 EI Switch
JG302A HP 3600-48-PoE+ v2 EI Switch
JG302B HP 3600-48-PoE+ v2 EI Switch
JG303A HP 3600-24-SFP v2 EI Switch
JG304A HP 3600-24 v2 SI Switch
JG305A HP 3600-48 v2 SI Switch
JG306A HP 3600-24-PoE+ v2 SI Switch
JG306B HP 3600-24-PoE+ v2 SI Switch
JG307A HP 3600-48-PoE+ v2 SI Switch
JG307B HP 3600-48-PoE+ v2 SI Switch
3100V2
Fix in progress
use mitigations
JD313B HP 3100-24-PoE v2 EI Switch
JD318B HP 3100-8 v2 EI Switch
JD319B HP 3100-16 v2 EI Switch
JD320B HP 3100-24 v2 EI Switch
JG221A HP 3100-8 v2 SI Switch
JG222A HP 3100-16 v2 SI Switch
JG223A HP 3100-24 v2 SI Switch
3100V2-48
Fix in progress
use mitigations
JG315A HP 3100-48 v2 Switch
1910
Fix in progress
use mitigations
JE005A HP 1910-16G Switch
JE006A HP 1910-24G Switch
JE007A HP 1910-24G-PoE (365W) Switch
JE008A HP 1910-24G-PoE(170W) Switch
JE009A HP 1910-48G Switch
JG348A HP 1910-8G Switch
JG349A HP 1910-8G-PoE+ (65W) Switch
JG350A HP 1910-8G-PoE+ (180W) Switch
3Com Baseline Plus Switch 2900 Gigabit Family - 52 port (3CRBSG5293)
3Com Baseline Plus Switch 2900G - 20 port (3CRBSG2093)
3Com Baseline Plus Switch 2900G - 28 port (3CRBSG2893)
3Com Baseline Plus Switch 2900G - 28HPWR (3CRBSG28HPWR93)
3Com Baseline Plus Switch 2900G - 28PWR (3CRBSG28PWR93)
1810v1 P2
Fix in progress
use mitigations
J9449A HP 1810-8G Switch
J9450A HP 1810-24G Switch
1810v1 PK
Fix in progress
use mitigations
J9660A HP 1810-48G Switch
MSR20
Fix in progress
use mitigations
JD432A HP A-MSR20-21 Multi-Service Router
JD662A HP MSR20-20 Multi-Service Router
JD663A HP MSR20-21 Multi-Service Router
JD663B HP MSR20-21 Router
JD664A HP MSR20-40 Multi-Service Router
JF228A HP MSR20-40 Router
JF283A HP MSR20-20 Router
H3C RT-MSR2020-AC-OVS-H3C (0235A324)
H3C RT-MSR2040-AC-OVS-H3 (0235A326)
H3C MSR 20-20 (0235A19H)
H3C MSR 20-21 (0235A325)
H3C MSR 20-40 (0235A19K)
H3C MSR-20-21 Router (0235A19J)
MSR20-1X
Fix in progress
use mitigations
JD431A HP MSR20-10 Router
JD667A HP MSR20-15 IW Multi-Service Router
JD668A HP MSR20-13 Multi-Service Router
JD669A HP MSR20-13 W Multi-Service Router
JD670A HP MSR20-15 A Multi-Service Router
JD671A HP MSR20-15 AW Multi-Service Router
JD672A HP MSR20-15 I Multi-Service Router
JD673A HP MSR20-11 Multi-Service Router
JD674A HP MSR20-12 Multi-Service Router
JD675A HP MSR20-12 W Multi-Service Router
JD676A HP MSR20-12 T1 Multi-Service Router
JF236A HP MSR20-15-I Router
JF237A HP MSR20-15-A Router
JF238A HP MSR20-15-I-W Router
JF239A HP MSR20-11 Router
JF240A HP MSR20-13 Router
JF241A HP MSR20-12 Router
JF806A HP MSR20-12-T Router
JF807A HP MSR20-12-W Router
JF808A HP MSR20-13-W Router
JF809A HP MSR20-15-A-W Router
JF817A HP MSR20-15 Router
JG209A HP MSR20-12-T-W Router (NA)
JG210A HP MSR20-13-W Router (NA)
H3C MSR 20-15 Router Host(AC) 1 FE 4 LSW 1 ADSLoPOTS 1 DSIC (0235A0A8)
H3C MSR 20-10 (0235A0A7)
H3C RT-MSR2011-AC-OVS-H3 (0235A395)
H3C RT-MSR2012-AC-OVS-H3 (0235A396)
H3C RT-MSR2012-AC-OVS-W-H3 (0235A397)
H3C RT-MSR2012-T-AC-OVS-H3 (0235A398)
H3C RT-MSR2013-AC-OVS-H3 (0235A390)
H3C RT-MSR2013-AC-OVS-W-H3 (0235A391)
H3C RT-MSR2015-AC-OVS-A-H3 (0235A392)
H3C RT-MSR2015-AC-OVS-AW-H3 (0235A393)
H3C RT-MSR2015-AC-OVS-I-H3 (0235A394)
H3C RT-MSR2015-AC-OVS-IW-H3 (0235A38V)
H3C MSR 20-11 (0235A31V)
H3C MSR 20-12 (0235A32E)
H3C MSR 20-12 T1 (0235A32B)
H3C MSR 20-13 (0235A31W)
H3C MSR 20-13 W (0235A31X)
H3C MSR 20-15 A (0235A31Q)
H3C MSR 20-15 A W (0235A31R)
H3C MSR 20-15 I (0235A31N)
H3C MSR 20-15 IW (0235A31P)
H3C MSR20-12 W (0235A32G)
MSR30
Fix in progress
use mitigations
JD654A HP MSR30-60 POE Multi-Service Router
JD657A HP MSR30-40 Multi-Service Router
JD658A HP MSR30-60 Multi-Service Router
JD660A HP MSR30-20 POE Multi-Service Router
JD661A HP MSR30-40 POE Multi-Service Router
JD666A HP MSR30-20 Multi-Service Router
JF229A HP MSR30-40 Router
JF230A HP MSR30-60 Router
JF232A HP RT-MSR3040-AC-OVS-AS-H3
JF235A HP MSR30-20 DC Router
JF284A HP MSR30-20 Router
JF287A HP MSR30-40 DC Router
JF801A HP MSR30-60 DC Router
JF802A HP MSR30-20 PoE Router
JF803A HP MSR30-40 PoE Router
JF804A HP MSR30-60 PoE Router
H3C MSR 30-20 Router (0235A328)
H3C MSR 30-40 Router Host(DC) (0235A268)
H3C RT-MSR3020-AC-POE-OVS-H3 (0235A322)
H3C RT-MSR3020-DC-OVS-H3 (0235A267)
H3C RT-MSR3040-AC-OVS-H (0235A299)
H3C RT-MSR3040-AC-POE-OVS-H3 (0235A323)
H3C RT-MSR3060-AC-OVS-H3 (0235A320)
H3C RT-MSR3060-AC-POE-OVS-H3 (0235A296)
H3C RT-MSR3060-DC-OVS-H3 (0235A269)
H3C MSR 30-20 RTVZ33020AS Router Host(AC) (0235A20S)
H3C MSR 30-20 (0235A19L)
H3C MSR 30-20 POE (0235A239)
H3C MSR 30-40 (0235A20J)
H3C MSR 30-40 POE (0235A25R)
H3C MSR 30-60 (0235A20K)
H3C MSR 30-60 POE (0235A25S)
H3C RT-MSR3040-AC-OVS-AS-H3 (0235A20V)
MSR30-16
Fix in progress
use mitigations
JD659A HP MSR30-16 POE Multi-Service Router
JD665A HP MSR30-16 Multi-Service Router
JF233A HP MSR30-16 Router
JF234A HP MSR30-16 PoE Router
H3C RT-MSR3016-AC-OVS-H3 (0235A327)
H3C RT-MSR3016-AC-POE-OVS-H3 (0235A321)
H3C MSR 30-16 (0235A237)
H3C MSR 30-16 POE (0235A238)
MSR30-1X
Fix in progress
use mitigations
JF800A HP MSR30-11 Router
JF816A HP MSR30-10 2 FE /2 SIC /1 MIM MS Rtr
JG182A HP MSR30-11E Router
JG183A HP MSR30-11F Router
JG184A HP MSR30-10 DC Router
H3C MSR 30-10 Router Host(AC) 2FE 2SIC 1XMIM 256DDR (0235A39H)
H3C RT-MSR3011-AC-OVS-H3 (0235A29L)
MSR50
Fix in progress
use mitigations
JD433A HP MSR50-40 Router
JD653A HP MSR50 Processor Module
JD655A HP MSR50-40 Multi-Service Router
JD656A HP MSR50-60 Multi-Service Router
JF231A HP MSR50-60 Router
JF285A HP MSR50-40 DC Router
JF640A HP MSR50-60 Rtr Chassis w DC PwrSupply
H3C MSR 50-40 Router (0235A297)
H3C MSR5040-DC-OVS-H3C (0235A20P)
H3C RT-MSR5060-AC-OVS-H3 (0235A298)
H3C MSR 50-40 Chassis (0235A20N)
H3C MSR 50-60 Chassis (0235A20L)
MSR50-G2
Fix in progress
use mitigations
JD429A HP MSR50 G2 Processor Module
JD429B HP MSR50 G2 Processor Module
H3C H3C MSR 50 Processor Module-G2 (0231A84Q)
H3C MSR 50 High Performance Main Processing Unit 3GE (Combo)
256F/1GD(0231A0KL)
MSR20 Russian version
Fix in progress
use mitigations
JD663B HP MSR20-21 Router
JF228A HP MSR20-40 Router
JF283A HP MSR20-20 Router
H3C RT-MSR2020-AC-OVS-H3C (0235A324)
H3C RT-MSR2040-AC-OVS-H3 (0235A326)
MSR20-1X Russian version
Fix in progress
use mitigations
JD431A HP MSR20-10 Router
JF236A HP MSR20-15-I Router
JF237A HP MSR20-15-A Router
JF238A HP MSR20-15-I-W Router
JF239A HP MSR20-11 Router
JF240A HP MSR20-13 Router
JF241A HP MSR20-12 Router
JF806A HP MSR20-12-T Router
JF807A HP MSR20-12-W Router
JF808A HP MSR20-13-W Router
JF809A HP MSR20-15-A-W Router
JF817A HP MSR20-15 Router
H3C MSR 20-10 (0235A0A7)
H3C RT-MSR2015-AC-OVS-I-H3 (0235A394)
H3C RT-MSR2015-AC-OVS-A-H3 (0235A392)
H3C RT-MSR2015-AC-OVS-AW-H3 (0235A393)
H3C RT-MSR2011-AC-OVS-H3 (0235A395)
H3C RT-MSR2013-AC-OVS-H3 (0235A390)
H3C RT-MSR2012-AC-OVS-H3 (0235A396)
H3C RT-MSR2012-T-AC-OVS-H3 (0235A398)
H3C RT-MSR2012-AC-OVS-W-H3 (0235A397)
H3C RT-MSR2013-AC-OVS-W-H3 (0235A391)
H3C RT-MSR2015-AC-OVS-IW-H3 (0235A38V)
H3C MSR 20-15 Router Host(AC) 1 FE 4 LSW 1 ADSLoPOTS 1 DSIC (0235A0A8)
MSR30 Russian version
Fix in progress
use mitigations
JF229A HP MSR30-40 Router
JF230A HP MSR30-60 Router
JF235A HP MSR30-20 DC Router
JF284A HP MSR30-20 Router
JF287A HP MSR30-40 DC Router
JF801A HP MSR30-60 DC Router
JF802A HP MSR30-20 PoE Router
JF803A HP MSR30-40 PoE Router
JF804A HP MSR30-60 PoE Router
H3C RT-MSR3040-AC-OVS-H (0235A299)
H3C RT-MSR3060-AC-OVS-H3 (0235A320)
H3C RT-MSR3020-DC-OVS-H3 (0235A267)
H3C MSR 30-20 Router (0235A328)
H3C MSR 30-40 Router Host(DC) (0235A268)
H3C RT-MSR3060-DC-OVS-H3 (0235A269)
H3C RT-MSR3020-AC-POE-OVS-H3 (0235A322)
H3C RT-MSR3040-AC-POE-OVS-H3 (0235A323)
H3C RT-MSR3060-AC-POE-OVS-H3 (0235A296)
MSR30-1X Russian version
Fix in progress
use mitigations
JF800A HP MSR30-11 Router
JF816A HP MSR30-10 2 FE /2 SIC /1 MIM MS Rtr
JG182A HP MSR30-11E Router
JG183A HP MSR30-11F Router
JG184A HP MSR30-10 DC Router
H3C RT-MSR3011-AC-OVS-H3 (0235A29L)
H3C MSR 30-10 Router Host(AC) 2FE 2SIC 1XMIM 256DDR (0235A39H)
MSR30-16 Russian version
Fix in progress
use mitigations
JF233A HP MSR30-16 Router
JF234A HP MSR30-16 PoE Router
H3C RT-MSR3016-AC-OVS-H3 (0235A327)
H3C RT-MSR3016-AC-POE-OVS-H3 (0235A321)
MSR50 Russian version
Fix in progress
use mitigations
JD433A HP MSR50-40 Router
JD653A HP MSR50 Processor Module
JD655A HP MSR50-40 Multi-Service Router
JD656A HP MSR50-60 Multi-Service Router
JF231A HP MSR50-60 Router
JF285A HP MSR50-40 DC Router
JF640A HP MSR50-60 Rtr Chassis w DC PwrSupply
H3C MSR 50-40 Router (0235A297)
H3C MSR 50 Processor Module (0231A791)
H3C MSR 50-40 Chassis (0235A20N)
H3C MSR 50-60 Chassis (0235A20L)
H3C RT-MSR5060-AC-OVS-H3 (0235A298)
H3C MSR5040-DC-OVS-H3C (0235A20P)
MSR50 G2 Russian version
Fix in progress
use mitigations
JD429B HP MSR50 G2 Processor Module
H3C MSR 50 High Performance Main Processing Unit 3GE (Combo) 256F/1GD
(0231A0KL)
MSR9XX
Fix in progress
use mitigations
JF812A HP MSR900 Router
JF813A HP MSR920 Router
JF814A HP MSR900-W Router
JF815A HP MSR920 2FEWAN/8FELAN/.11b/g Rtr
JG207A HP MSR900-W Router (NA)
JG208A HP MSR920-W Router (NA)
H3C MSR 900 Router with 802.11b/g 2 FE WAN 4 FE LAN 256DDR 802.11b
(0235A0C2)
H3C MSR 900 Router 2 FE WAN 4 FE LAN 256DDR (0235A0BX)
H3C MSR 920 Router with 802.11b/g 2 FE WAN 8 FE LAN 256DDR (0235A0C4)
H3C MSR 920 Router 2 FE WAN 8 FE LAN 256DDR (0235A0C0)
MSR9XX Russian version
Fix in progress
use mitigations
JF812A HP MSR900 Router
JF813A HP MSR920 Router
JF814A HP MSR900-W Router
JF815A HP MSR920 2FEWAN/8FELAN/.11b/g Rtr
H3C MSR 900 Router 2 FE WAN 4 FE LAN 256DDR (0235A0BX)
H3C MSR 920 Router 2 FE WAN 8 FE LAN 256DDR (0235A0C0)
H3C MSR 900 Router with 802.11b/g 2 FE WAN 4 FE LAN 256DDR 802.11b (0235A0C2)
H3C MSR 920 Router with 802.11b/g 2 FE WAN 8 FE LAN 256DDR (0235A0C4)
MSR93X
Fix in progress
use mitigations
JG511A HP MSR930 Router
JG512A HP MSR930 Wireless Router
JG513A HP MSR930 3G Router
JG514A HP MSR931 Router
JG515A HP MSR931 3G Router
JG516A HP MSR933 Router
JG517A HP MSR933 3G Router
JG518A HP MSR935 Router
JG519A HP MSR935 Wireless Router
JG520A HP MSR935 3G Router
JG531A HP MSR931 Dual 3G Router
JG596A HP MSR930 4G LTE/3G CDMA Router
JG597A HP MSR936 Wireless Router
JG665A HP MSR930 4G LTE/3G WCDMA Global Router
JG704A HP MSR930 4G LTE/3G WCDMA ATT Router
MSR93X Russian version
Fix in progress
use mitigations
JG511A HP MSR930 Router
JG512A HP MSR930 Wireless Router
JG513A HP MSR930 3G Router
JG514A HP MSR931 Router
JG515A HP MSR931 3G Router
JG516A HP MSR933 Router
JG517A HP MSR933 3G Router
JG518A HP MSR935 Router
JG519A HP MSR935 Wireless Router
JG520A HP MSR935 3G Router
JG531A HP MSR931 Dual 3G Router
JG596A HP MSR930 4G LTE/3G CDMA Router
JG597A HP MSR936 Wireless Router
JG665A HP MSR930 4G LTE/3G WCDMA Global Router
JG704A HP MSR930 4G LTE/3G WCDMA ATT Router
MSR1000
Fix in progress
use mitigations
JG732A HP MSR1003-8 AC Router
MSR2000
Fix in progress
use mitigations
JG411A HP MSR2003 AC Router
MSR3000
Fix in progress
use mitigations
JG404A HP MSR3064 Router
JG405A HP MSR3044 Router
JG406A HP MSR3024 AC Router
JG409A HP MSR3012 AC Router
JG861A HP MSR3024 TAA-compliant AC Router
MSR4000
Fix in progress
use mitigations
JG402A HP MSR4080 Router Chassis
JG403A HP MSR4060 Router Chassis
JG412A HP MSR4000 MPU-100 Main Processing Unit
F5000
Fix in progress
use mitigations
JG216A HP F5000 Firewall Standalone Chassis
JD259A HP A5000-A5 VPN Firewall Chassis
H3C SecPath F5000-A5 Host System (0150A0AG)
U200S and CS
Fix in progress
use mitigations
JD268A HP 200-CS UTM Appliance
JD273A HP U200-S UTM Appliance
H3C SecPath U200-S (0235A36N)
U200A and M
Fix in progress
use mitigations
JD274A HP 200-M UTM Appliance
JD275A HP U200-A UTM Appliance
H3C SecPath U200-A (0235A36Q)
F1000A and S
Fix in progress
use mitigations
JD270A HP S1000-S VPN Firewall Appliance
JD271A HP S1000-A VPN Firewall Appliance
JG213A HP F1000-S-EI VPN Firewall Appliance
JG214A HP F1000-A-EI VPN Firewall Appliance
SecBlade FW
Fix in progress
use mitigations
JC635A HP 12500 VPN Firewall Module
JD245A HP 9500 VPN Firewall Module
JD249A HP 10500/7500 Advanced VPN Firewall Mod
JD250A HP 6600 Firewall Processing Rtr Module
JD251A HP 8800 Firewall Processing Module
JD255A HP 5820 VPN Firewall Module
H3C S9500E SecBlade VPN Firewall Module (0231A0AV)
H3C S7500E SecBlade VPN Firewall Module (0231A832)
H3C SR66 Gigabit Firewall Module (0231A88A)
H3C SR88 Firewall Processing Module (0231A88L)
H3C S5820 SecBlade VPN Firewall Module (0231A94J)
F1000E
Fix in progress
use mitigations
JD272A HP S1000-E VPN Firewall Appliance
VSR1000
Fix in progress
use mitigations
JG810AAE HP VSR1001 Virtual Services Router
JG811AAE HP VSR1001 Virtual Services Router
JG812AAE HP VSR1004 Virtual Services Router
JG813AAE HP VSR1008 Virtual Services Router
WX5002/5004
Fix in progress
use mitigations
JD441A HP 5800 ACM for 64-256 APs
JD447B HP WX5002 Access Controller
JD448A HP A-WX5004 Access Controller
JD448B HP WX5004 Access Controller
JD469A HP A-WX5004 (3Com) Access Controller
JG261A HP 5800 Access Controller OAA TAA Mod
HP 850/870
Fix in progress
use mitigations
JG723A HP 870 Unified Wired-WLAN Appliance
JG725A HP 870 Unifd Wrd-WLAN TAA Applnc
HP 830
Fix in progress
use mitigations
JG640A HP 830 24P PoE+ Unifd Wired-WLAN Swch
JG641A HP 830 8P PoE+ Unifd Wired-WLAN Swch
JG646A HP 830 24-Port PoE+ Wrd-WLAN TAA Switch
JG647A HP 830 8-Port PoE+ Wrd-WLAN TAA Switch
HP 6000
Fix in progress
use mitigations
JG639A HP 10500/7500 20G Unified Wired-WLAN Mod
JG645A HP 10500/7500 20G Unifd Wrd-WLAN TAA Mod
M220
Fix in progress
use mitigations
J9798A HP M220 802.11n AM Access Point
J9799A HP M220 802.11n WW Access Point
NGFW
Fix in progress
use mitigations
JC882A HP S1050F NGFW Aplnc w/DVLabs 1-yr Lic
JC883A HP S3010F NGFW Aplnc w/DVLabs 1-yr Lic
JC884A HP S3020F NGFW Aplnc w/DVLabs 1-yr Lic
JC885A HP S8005F NGFW Aplnc w/DVLabs 1-yr Lic
JC886A HP S8010F NGFW Aplnc w/DVLabs 1-yr Lic
iMC UAM 7.0
Fix in progress
use mitigations
JD144A HP IMC UAM S/W Module w/200-User License
JF388A HP IMC UAM S/W Module w/200-user License
JD435A HP IMC EAD Client Software
JF388AAE HP IMC UAM S/W Module w/200-user E-LTU
JG752AAE HP IMC UAM SW Mod w/ 50-user E-LTU
iMC EAD 7.0
Fix in progress
use mitigations
JF391AAE HP IMC EAD S/W Module w/200-user E-LTU
JG754AAE HP IMC EAD SW Module w/ 50-user E-LTU
JD147A HP IMC Endpoint Admission Defense Software Module with 200-user
License
JF391A HP IMC EAD S/W Module w/200-user License
iMC PLAT 7.0
Fix in progress
use mitigations
JF377AAE HP IMC Standard Edition Software Platform with 100-node E-LTU
JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
JG747AAE HP IMC Standard Software Platform with 50-node E-LTU
JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
JD125A HP IMC Standard Edition Software Platform with 100-node License
JD815A HP IMC Standard Edition Software Platform with 100-node License
JD816A HP A-IMC Standard Edition Software DVD Media
JF377A HP IMC Standard Edition Software Platform with 100-node License
JF288AAE HP Network Director to Intelligent Management Center Upgrade E-LTU
JF289AAE HP Enterprise Management System to Intelligent Management Center
Upgrade E-LTU
TJ635AAE HP IMC for ANM 50 node pack SW E-LTU (On HP Softwares CPL
not HPNs)
JF378AAE HP IMC Enterprise Edition Software Platform with 200-Node E-LTU
JG748AAE HP IMC Enterprise Software Platform with 50-node E-LTU
JD126A HP A-IMC Enterprise Software Platform with 200-node License
JD808A HP A-IMC Enterprise Software Platform with 200-node License
JD814A HP A-IMC Enterprise Edition Software DVD Media
JF378A HP IMC Enterprise Edition Software Platform with 200-node License
JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
JG550AAE HP PMM to IMC Bsc WLM Upgr w/150 AP E-LTU
JG590AAE HP IMC Bsc WLAN Mgr SW Pltfm 50 AP E-LTU
JG659AAE HP IMC Smart Connect Virtual Appliance Edition E-LTU
JG766AAE HP IMC Smart Connect Virtual Appliance Edition E-LTU
JG660AAE HP IMC Smart Connect w / WLAN Manager Virtual Appliance Edition
E-LTU
JG767AAE HP IMC Smart Connect with Wireless Service Manager Virtual Appliance
Software E-LTU
HISTORY
Version:1 (rev.1) - 20 June 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlOkrM4ACgkQ4B86/C0qfVn7/QCeK5T1H9dXfVQgIKSr5USqLmvq
CtMAnjujH7e5aXfIOvxyyuB0FcSwIWCM
=CEL7
-----END PGP SIGNATURE-----
.
OpenSSL is a 3rd party product that is embedded with some HP printer
products. This bulletin notifies HP Printer customers about impacted
products. To obtain the updated firmware, go to www.hp.com and follow
these steps:
Select "Drivers & Software".
Enter the appropriate product name listed in the table below into the search
field.
Click on "Search".
Click on the appropriate product.
Under "Select operating system" click on "Cross operating system (BIOS,
Firmware, Diagnostics, etc.)"
Note: If the "Cross operating system ..." link is not present, select
applicable Windows operating system from the list.
Select the appropriate firmware update under "Firmware".
Firmware Updates Table
Product Name
Model Number
Firmware Revision
HP Color LaserJet CM4540 MFP
CC419A, CC420A, CC421A
v 2302963_436067 (or higher)
HP Color LaserJet CP5525
CE707A,CE708A,CE709A
v 2302963_436070 (or higher)
HP Color LaserJet Enterprise M750
D3L08A, D3L09A, D3L10A
v 2302963_436077 (or higher)
HP Color LaserJet M651
CZ255A, CZ256A, CZ257A, CZ258A
v 2302963_436073 (or higher)
HP Color LaserJet M680
CZ248A, CZ249A
v 2302963_436072 (or higher)
HP Color LaserJet Flow M680
CZ250A, CA251A
v 2302963_436072 (or higher)
HP LaserJet Enterprise 500 color MFP M575dn
CD644A, CD645A
v 2302963_436081 (or higher)
HP LaserJet Enterprise 500 MFP M525f
CF116A, CF117A
v 2302963_436069 (or higher)
HP LaserJet Enterprise 600 M601 Series
CE989A, CE990A
v 2302963_436082 (or higher)
HP LaserJet Enterprise 600 M602 Series
CE991A, CE992A, CE993A
v 2302963_436082 (or higher)
HP LaserJet Enterprise 600 M603 Series
CE994A, CE995A, CE996A
v 2302963_436082 (or higher)
HP LaserJet Enterprise MFP M630 series
B3G84A, B3G85A, B3G86A, J7X28A
v 2303714_233000041 (or higher)
HP LaserJet Enterprise 700 color M775 series
CC522A, CC523A, CC524A, CF304A
v 2302963_436079 (or higher)
HP LaserJet Enterprise 700 M712 series
CF235A, CF236A, CF238A
v 2302963_436080 (or higher)
HP LaserJet Enterprise 800 color M855
A2W77A, A2W78A, A2W79A
v 2302963_436076 (or higher)
HP LaserJet Enterprise 800 color MFP M880
A2W76A, A2W75A, D7P70A, D7P71A
v 2302963_436068 (or higher)
HP LaserJet Enterprise Color 500 M551 Series
CF081A,CF082A,CF083A
v 2302963_436083 (or higher)
HP LaserJet Enterprise color flow MFP M575c
CD646A
v 2302963_436081 (or higher)
HP LaserJet Enterprise flow M830z MFP
CF367A
v 2302963_436071 (or higher)
HP LaserJet Enterprise flow MFP M525c
CF118A
v 2302963_436069 (or higher)
HP LaserJet Enterprise M4555 MFP
CE502A,CE503A, CE504A, CE738A
v 2302963_436064 (or higher)
HP LaserJet Enterprise M806
CZ244A, CZ245A
v 2302963_436075 (or higher)
HP LaserJet Enterprise MFP M725
CF066A, CF067A, CF068A, CF069A
v 2302963_436078 (or higher)
HP Scanjet Enterprise 8500 Document Capture Workstation
L2717A, L2719A
v 2302963_436065 (or higher)
OfficeJet Enterprise Color MFP X585
B5L04A, B5L05A,B5L07A
v 2302963_436066 (or higher)
OfficeJet Enterprise Color X555
C2S11A, C2S12A
v 2302963_436074 (or higher)
HP Color LaserJet CP3525
CC468A, CC469A, CC470A, CC471A
v 06.183.1 (or higher)
HP LaserJet M4345 Multifunction Printer
CB425A, CB426A, CB427A, CB428A
v 48.306.1 (or higher)
HP LaserJet M5025 Multifunction Printer
Q7840A
v 48.306.1 (or higher)
HP Color LaserJet CM6040 Multifunction Printer
Q3938A, Q3939A
v 52.256.1 (or higher)
HP Color LaserJet Enterprise CP4525
CC493A, CC494A, CC495A
v 07.164.1 (or higher)
HP Color LaserJet Enterprise CP4025
CC489A, CC490A
v 07.164.1 (or higher)
HP LaserJet M5035 Multifunction Printer
Q7829A, Q7830A, Q7831A
v 48.306.1 (or higher)
HP LaserJet M9050 Multifunction Printer
CC395A
v 51.256.1 (or higher)
HP LaserJet M9040 Multifunction Printer
CC394A
v 51.256.1 (or higher)
HP Color LaserJet CM4730 Multifunction Printer
CB480A, CB481A, CB482A, CB483A
v 50.286.1 (or higher)
HP LaserJet M3035 Multifunction Printer
CB414A, CB415A, CC476A, CC477A
v 48.306.1 (or higher)
HP 9250c Digital Sender
CB472A
v 48.293.1 (or higher)
HP LaserJet Enterprise P3015
CE525A,CE526A,CE527A,CE528A,CE595A
v 07.186.1 (or higher)
HP LaserJet M3027 Multifunction Printer
CB416A, CC479A
v 48.306.1 (or higher)
HP LaserJet CM3530 Multifunction Printer
CC519A, CC520A
v 53.236.1 (or higher)
HP Color LaserJet CP6015
Q3931A, Q3932A, Q3933A, Q3934A, Q3935A
v 04.203.1 (or higher)
HP LaserJet P4515
CB514A,CB515A, CB516A, CB517A
v 04.213.1 (or higher)
HP Color LaserJet CM6030 Multifunction Printer
CE664A, CE665A
v 52.256.1 (or higher)
HP LaserJet P4015
CB509A, CB526A, CB511A, CB510A
v 04.213.1 (or higher)
HP LaserJet P4014
CB507A, CB506A, CB512A
v 04.213.1 (or higher)
HISTORY
Version:1 (rev.1) - 22 September 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy |
|
var-200809-0013
|
Network Preferences in Apple Mac OS X 10.4.11 stores PPP passwords in cleartext in a world-readable file, which allows local users to obtain sensitive information by reading this file. Apple Mac OS X Leopard does not accurately reflect which files and directories are available via sharing. A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system.
The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
phpPgAds XML-RPC PHP Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA15884
VERIFY ADVISORY:
http://secunia.com/advisories/15884/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
phpPgAds 2.x
http://secunia.com/product/4577/
DESCRIPTION:
A vulnerability has been reported in phpPgAds, which can be exploited
by malicious people to compromise a vulnerable system.
For more information:
SA15852
SOLUTION:
Update to version 2.0.5.
http://sourceforge.net/project/showfiles.php?group_id=36679
OTHER REFERENCES:
SA15852:
http://secunia.com/advisories/15852/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
|
|
var-201104-0082
|
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. The ISC dhclient contains a vulnerability that could allow a remote attacker to execute arbitrary code on the client machine. Apple From Apple Time Capsule and AirPort Base Station (802.11n) Firmware update for has been released.Crafted DHCP Any command may be executed by processing the response.
A remote attacker can exploit this issue through a rogue DHCP server.
Additionally for Corporate Server 4 and Enterprise Server 5 ISC DHCP
has been upgraded from the 3.0.7 version to the 4.1.2-P1 version
which brings many enhancements such as better ipv6 support.
Packages for 2009.0 are provided as of the Extended Maintenance
Program.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997
http://ftp.isc.org/isc/dhcp/dhcp-4.1.2-P1-RELNOTES
https://www.isc.org/software/dhcp/advisories/cve-2011-0997
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
0fe2b147ebdba8b68f69ddc27160db5c 2009.0/i586/dhcp-client-4.1.2-0.4mdv2009.0.i586.rpm
f4ee7090da2bec5cb4482f2fa21beb8b 2009.0/i586/dhcp-common-4.1.2-0.4mdv2009.0.i586.rpm
a4a5bd2f2d8f4d40a4c60d5dde55307c 2009.0/i586/dhcp-devel-4.1.2-0.4mdv2009.0.i586.rpm
814bc88e335fb03901f326300ae92961 2009.0/i586/dhcp-doc-4.1.2-0.4mdv2009.0.i586.rpm
ec52571bb8002e9394b1eb6e6fc95b64 2009.0/i586/dhcp-relay-4.1.2-0.4mdv2009.0.i586.rpm
e7fed43b5db92babf8ca3acbd7210b7f 2009.0/i586/dhcp-server-4.1.2-0.4mdv2009.0.i586.rpm
18489ac449e257f1fa9aad9e7a054b45 2009.0/SRPMS/dhcp-4.1.2-0.4mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
b557459f67de2b8ec481d313d9a26cb2 2009.0/x86_64/dhcp-client-4.1.2-0.4mdv2009.0.x86_64.rpm
b4ea7a9670866fff6cd3f4eb77073a84 2009.0/x86_64/dhcp-common-4.1.2-0.4mdv2009.0.x86_64.rpm
4f9a9c9a9815697e17a65b942771e31d 2009.0/x86_64/dhcp-devel-4.1.2-0.4mdv2009.0.x86_64.rpm
df18345c665846817880f815af0ad0e8 2009.0/x86_64/dhcp-doc-4.1.2-0.4mdv2009.0.x86_64.rpm
eac313ff664e3ea9f8e4c3818d7b7387 2009.0/x86_64/dhcp-relay-4.1.2-0.4mdv2009.0.x86_64.rpm
48cca35591072588de0e1b9f00ca88eb 2009.0/x86_64/dhcp-server-4.1.2-0.4mdv2009.0.x86_64.rpm
18489ac449e257f1fa9aad9e7a054b45 2009.0/SRPMS/dhcp-4.1.2-0.4mdv2009.0.src.rpm
Mandriva Linux 2010.0:
88ba2b9d0ccfddf8b1b6f516851d08ce 2010.0/i586/dhcp-client-4.1.2-0.4mdv2010.0.i586.rpm
1475209ee7b9fb9b7f26ad5b20afcdcf 2010.0/i586/dhcp-common-4.1.2-0.4mdv2010.0.i586.rpm
ea29d2bfd21b02a56057cd36dc21f43a 2010.0/i586/dhcp-devel-4.1.2-0.4mdv2010.0.i586.rpm
067c3ac4f7530e447f82bbe4326253a3 2010.0/i586/dhcp-doc-4.1.2-0.4mdv2010.0.i586.rpm
409516cfb0004d5f4522040b81433ce7 2010.0/i586/dhcp-relay-4.1.2-0.4mdv2010.0.i586.rpm
a23871dfa6632571cdf4a2559941ad89 2010.0/i586/dhcp-server-4.1.2-0.4mdv2010.0.i586.rpm
265c9ec68af7e23baf8b1b6fcc4cc64f 2010.0/SRPMS/dhcp-4.1.2-0.4mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
403dfe148141d926bc2f5e31c18360ba 2010.0/x86_64/dhcp-client-4.1.2-0.4mdv2010.0.x86_64.rpm
2cd0331b9935442a68d606e1d58b0608 2010.0/x86_64/dhcp-common-4.1.2-0.4mdv2010.0.x86_64.rpm
80a31ea430793ce9d2269c9d31aa03bd 2010.0/x86_64/dhcp-devel-4.1.2-0.4mdv2010.0.x86_64.rpm
d5053dc644215e70dfc5380afdbc90c4 2010.0/x86_64/dhcp-doc-4.1.2-0.4mdv2010.0.x86_64.rpm
377fe3099561dd0a795617977164b91f 2010.0/x86_64/dhcp-relay-4.1.2-0.4mdv2010.0.x86_64.rpm
57b98ba8696c7a7d20ab96a823f4ff0d 2010.0/x86_64/dhcp-server-4.1.2-0.4mdv2010.0.x86_64.rpm
265c9ec68af7e23baf8b1b6fcc4cc64f 2010.0/SRPMS/dhcp-4.1.2-0.4mdv2010.0.src.rpm
Mandriva Linux 2010.1:
5b603213aa47a9772cf786ae6ee046da 2010.1/i586/dhcp-client-4.1.2-0.4mdv2010.2.i586.rpm
3046be07aaa09d1b39fcc8c07ef25e58 2010.1/i586/dhcp-common-4.1.2-0.4mdv2010.2.i586.rpm
1b5a481f6db0b53e666884cfda6ac44c 2010.1/i586/dhcp-devel-4.1.2-0.4mdv2010.2.i586.rpm
279beab531b59a715c946a00bd58fc48 2010.1/i586/dhcp-doc-4.1.2-0.4mdv2010.2.i586.rpm
a328ab24b56f1ac03f8f420acd0a3806 2010.1/i586/dhcp-relay-4.1.2-0.4mdv2010.2.i586.rpm
f7c61c55748270add2fe45d3245895c8 2010.1/i586/dhcp-server-4.1.2-0.4mdv2010.2.i586.rpm
30d4e8965d393765fb98b425889df126 2010.1/SRPMS/dhcp-4.1.2-0.4mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
27f78c74028b1ea64dbd596c05cfa83f 2010.1/x86_64/dhcp-client-4.1.2-0.4mdv2010.2.x86_64.rpm
ab56614386900415fecba15f4c17db13 2010.1/x86_64/dhcp-common-4.1.2-0.4mdv2010.2.x86_64.rpm
535a2eb4b6a4b1f78f47201e0b4249c3 2010.1/x86_64/dhcp-devel-4.1.2-0.4mdv2010.2.x86_64.rpm
64e9bac6fe8f4dbee3e1aebd5d91e977 2010.1/x86_64/dhcp-doc-4.1.2-0.4mdv2010.2.x86_64.rpm
612892e71f2aeddfd8b55cd7ac220247 2010.1/x86_64/dhcp-relay-4.1.2-0.4mdv2010.2.x86_64.rpm
9bb46bca8de30ee4b99bfe09867a3924 2010.1/x86_64/dhcp-server-4.1.2-0.4mdv2010.2.x86_64.rpm
30d4e8965d393765fb98b425889df126 2010.1/SRPMS/dhcp-4.1.2-0.4mdv2010.2.src.rpm
Corporate 4.0:
f49d86732da26402b022b2d980049c03 corporate/4.0/i586/dhcp-client-4.1.2-0.4.20060mlcs4.i586.rpm
acd985bc51c25cc42325befb357b0dcc corporate/4.0/i586/dhcp-common-4.1.2-0.4.20060mlcs4.i586.rpm
c01506a802e46af23c8f10a72c6a0eb2 corporate/4.0/i586/dhcp-devel-4.1.2-0.4.20060mlcs4.i586.rpm
81522530fa5e97057d6eeea18ad7bec3 corporate/4.0/i586/dhcp-doc-4.1.2-0.4.20060mlcs4.i586.rpm
2ebfdf7ee9224b7403c4ab5e8370d9ab corporate/4.0/i586/dhcp-relay-4.1.2-0.4.20060mlcs4.i586.rpm
c2bbacf8934b9e3dc78cdb49cd811ec9 corporate/4.0/i586/dhcp-server-4.1.2-0.4.20060mlcs4.i586.rpm
ac3031a0c5dfeb6274aa28d669e66cba corporate/4.0/SRPMS/dhcp-4.1.2-0.4.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
2747bf835e111141b9a91dc320eeab43 corporate/4.0/x86_64/dhcp-client-4.1.2-0.4.20060mlcs4.x86_64.rpm
0c998112346a5da94e09d55c996d6dff corporate/4.0/x86_64/dhcp-common-4.1.2-0.4.20060mlcs4.x86_64.rpm
fd38ef505da0c593ef900895abeb1ddc corporate/4.0/x86_64/dhcp-devel-4.1.2-0.4.20060mlcs4.x86_64.rpm
69b3d6cbf21c46828de40a322fd1310d corporate/4.0/x86_64/dhcp-doc-4.1.2-0.4.20060mlcs4.x86_64.rpm
c5acb788ae76e674952d656fa9b0d1a5 corporate/4.0/x86_64/dhcp-relay-4.1.2-0.4.20060mlcs4.x86_64.rpm
e19db50139a291a7acd23491af5f8d54 corporate/4.0/x86_64/dhcp-server-4.1.2-0.4.20060mlcs4.x86_64.rpm
ac3031a0c5dfeb6274aa28d669e66cba corporate/4.0/SRPMS/dhcp-4.1.2-0.4.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
7cbe686b047a6fd6f95cda44669e5862 mes5/i586/dhcp-client-4.1.2-0.4mdvmes5.2.i586.rpm
af8b9fe15591b76c11f2257e0cb43a37 mes5/i586/dhcp-common-4.1.2-0.4mdvmes5.2.i586.rpm
2a22a53e6de1a9333c36c5cc250c5ac4 mes5/i586/dhcp-devel-4.1.2-0.4mdvmes5.2.i586.rpm
9ca551145fc79919000a61419e72de37 mes5/i586/dhcp-doc-4.1.2-0.4mdvmes5.2.i586.rpm
e9faa5fae712882720b107eb02e51f1f mes5/i586/dhcp-relay-4.1.2-0.4mdvmes5.2.i586.rpm
8568f3bac9dd6654b63ebee94c33275e mes5/i586/dhcp-server-4.1.2-0.4mdvmes5.2.i586.rpm
0e5415cf40dde2931cd1b81aada5e7f7 mes5/SRPMS/dhcp-4.1.2-0.4mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
87ae497e9b94fb842718b4fbefb55474 mes5/x86_64/dhcp-client-4.1.2-0.4mdvmes5.2.x86_64.rpm
71d70558972e1f0729513fce69183de2 mes5/x86_64/dhcp-common-4.1.2-0.4mdvmes5.2.x86_64.rpm
0f12150d87816bd1770388d8dc309d21 mes5/x86_64/dhcp-devel-4.1.2-0.4mdvmes5.2.x86_64.rpm
0450f2a86dab4988d1c96a8e9747104f mes5/x86_64/dhcp-doc-4.1.2-0.4mdvmes5.2.x86_64.rpm
6a043f417310b6229e8fb8d967c12a8d mes5/x86_64/dhcp-relay-4.1.2-0.4mdvmes5.2.x86_64.rpm
e4281f48c410412f60fd33f095b9199c mes5/x86_64/dhcp-server-4.1.2-0.4mdvmes5.2.x86_64.rpm
0e5415cf40dde2931cd1b81aada5e7f7 mes5/SRPMS/dhcp-4.1.2-0.4mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNotZnmqjQ0CJFipgRAsarAJ4zitKb2D4e53sOLX4vqvuPs5tLCACffyPE
Y8Ya7GFbhILVKuKTG+Ps+3k=
=EXBX
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201301-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: ISC DHCP: Denial of Service
Date: January 09, 2013
Bugs: #362453, #378799, #393617, #398763, #428120, #434880
ID: 201301-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in ISC DHCP, the worst of
which may allow remote Denial of Service.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/dhcp < 4.2.4_p2 >= 4.2.4_p2
Description
===========
Multiple vulnerabilities have been discovered in ISC DHCP. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All ISC DHCP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.2.4_p2"
References
==========
[ 1 ] CVE-2011-0997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0997
[ 2 ] CVE-2011-2748
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2748
[ 3 ] CVE-2011-2749
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2749
[ 4 ] CVE-2011-4539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4539
[ 5 ] CVE-2011-4868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4868
[ 6 ] CVE-2012-3570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3570
[ 7 ] CVE-2012-3571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3571
[ 8 ] CVE-2012-3954
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3954
[ 9 ] CVE-2012-3955
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3955
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201301-06.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
Release Date: 2012-03-20
Last Updated: 2012-03-20
Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Insight Control Software for Linux (IC-Linux).
References: CVE-2011-3210, CVE-2011-3207, CVE-2011-1097, CVE-2011-0997, CVE-2011-0762, CVE-2010-4645
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Insight Control Software for Linux (IC-Linux) before v7.0
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-3210 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-3207 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2011-1097 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1
CVE-2011-0997 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-0762 (AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0
CVE-2010-4645 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided HP Insight Control Software for Linux (IC-Linux) v7.0 to resolve the vulnerabilities. IC-Linux v7.0 is available here:
http://h18004.www1.hp.com/products/servers/management/insightcontrol_linux2/index.html
HISTORY
Version:1 (rev.1) - 20 March 2012 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. This issue is addressed by stripping shell meta-characters
in dhclient-script.
It is recommended that AirPort Utility 5.5.3 or later be installed
before upgrading to Firmware version 7.6. ==========================================================================
Ubuntu Security Notice USN-1108-2
April 19, 2011
dhcp3 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10
Summary:
An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.
Original advisory details:
Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
crafted responses.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
dhcp3-client 3.1.3-2ubuntu6.2
Ubuntu 10.04 LTS:
dhcp3-client 3.1.3-2ubuntu3.2
Ubuntu 9.10:
dhcp3-client 3.1.2-1ubuntu7.3
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: dhcp security update
Advisory ID: RHSA-2011:0840-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0840.html
Issue date: 2011-05-31
CVE Names: CVE-2011-0997
=====================================================================
1. Summary:
Updated dhcp packages that fix one security issue are now available for
Red Hat Enterprise Linux 3 Extended Life Cycle Support.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (v. 3 ELS) - i386
Red Hat Enterprise Linux ES (v. 3 ELS) - i386
3. Description:
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows
individual devices on an IP network to get their own network configuration
information, including an IP address, a subnet mask, and a broadcast
address. A malicious DHCP server could send such an option
with a specially-crafted value to a DHCP client. If this option's value was
saved on the client system, and then later insecurely evaluated by a
process that assumes the option is trusted, it could lead to arbitrary code
execution with the privileges of that process. (CVE-2011-0997)
Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for
reporting this issue.
All dhclient users should upgrade to these updated packages, which contain
a backported patch to correct this issue.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
689832 - CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values
6. Package List:
Red Hat Enterprise Linux AS (v. 3 ELS):
Source:
dhcp-3.0.1-10.3_EL3.src.rpm
i386:
dhclient-3.0.1-10.3_EL3.i386.rpm
dhcp-3.0.1-10.3_EL3.i386.rpm
dhcp-debuginfo-3.0.1-10.3_EL3.i386.rpm
dhcp-devel-3.0.1-10.3_EL3.i386.rpm
Red Hat Enterprise Linux ES (v. 3 ELS):
Source:
dhcp-3.0.1-10.3_EL3.src.rpm
i386:
dhclient-3.0.1-10.3_EL3.i386.rpm
dhcp-3.0.1-10.3_EL3.i386.rpm
dhcp-debuginfo-3.0.1-10.3_EL3.i386.rpm
dhcp-devel-3.0.1-10.3_EL3.i386.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-0997.html
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFN5QSLXlSAg2UNWIIRAsdVAJ9mkD7RcbzsYOkK8JnEQsRSeelYuwCeNmZd
LdK24/RBkJXiFOiY5pI8Eig=
=HTuE
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.3-6ubuntu7.2.diff.gz
Size/MD5: 68426 b4a36d1b44e8276211cef0b9bfbb6ea5
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.3-6ubuntu7.2.dsc
Size/MD5: 1428 2fe76544defdfa3d4ab61d548ea5bc03
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.3.orig.tar.gz
Size/MD5: 870240 f91416a0b8ed3fd0601688cf0b7df58f
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_amd64.deb
Size/MD5: 221524 2cc3c7815cb6e6a2cc21d0c2a6286202
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_amd64.deb
Size/MD5: 454060 4d6e00d001d85359af4777316c012038
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_amd64.deb
Size/MD5: 131252 bf862b9ce2cc9888f9e617f42c0d8f77
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_amd64.deb
Size/MD5: 321024 383390887daadd122e7e66a9896e0432
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_amd64.udeb
Size/MD5: 177440 04a6bc2b53da66245b8b79b71d8f82ed
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_amd64.deb
Size/MD5: 105842 9616c95d8f2d487fd330fb9b33c58474
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_i386.deb
Size/MD5: 196930 ebaee96958395481e8c9c25a6591c1a3
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_i386.deb
Size/MD5: 431162 6fec8eaee0c753e95193f507e3c2c1eb
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_i386.deb
Size/MD5: 117544 76fd573dc96ade71033c31e9965a1ede
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_i386.deb
Size/MD5: 289684 8d0c386dc142ca3e69766e26fa6ced00
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_i386.udeb
Size/MD5: 152296 98cdda8ba797a8f3532e2db2c95f5329
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_i386.deb
Size/MD5: 94176 369f369a8fd6b58df3e293a5264c8047
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_powerpc.deb
Size/MD5: 203612 da623d9e1694169cfc1de56f2e0df6e4
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_powerpc.deb
Size/MD5: 435818 a6f18c0a5083885f0f3ad270a52f1ea9
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_powerpc.deb
Size/MD5: 130290 8ed50d04b1c91276b0bdf19b3cda3fcd
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_powerpc.deb
Size/MD5: 297742 95b7742e4fb7c4720add03965ef51b45
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_powerpc.udeb
Size/MD5: 158466 61e6403a4a5db1783c43fbfe6ad74e8c
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_powerpc.deb
Size/MD5: 96696 a7d275b7895e47d8141fab29a3db415b
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_sparc.deb
Size/MD5: 200826 04fe774f2349b12af88465a96a4443b4
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_sparc.deb
Size/MD5: 434238 c71c8b52f5324385d13e3610e7bef30e
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_sparc.deb
Size/MD5: 126784 ca67a9bd308dfb73bf85906f53e8ae6b
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_sparc.deb
Size/MD5: 294084 628696dfa6a0c9a2713b7fde4390d700
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_sparc.udeb
Size/MD5: 156068 907d41b490e6155c580b83cec96e3f71
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_sparc.deb
Size/MD5: 96810 d1559518c2fc467cf6244ee8cd29176b
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.6.dfsg-1ubuntu9.2.diff.gz
Size/MD5: 97783 a2e0e7077df662a15c039c462ecd8e3d
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.6.dfsg-1ubuntu9.2.dsc
Size/MD5: 1537 ccf77a9747dc8cbc6b65e0d94ab9c43b
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.6.dfsg.orig.tar.gz
Size/MD5: 724045 e89ef34005c576ddbb229e3b4478f6e2
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_amd64.udeb
Size/MD5: 180140 9b8c326a22be742b43e2b8d9b07d4f86
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_amd64.deb
Size/MD5: 242126 8053c2330e512d48f0318af10079c50a
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_amd64.deb
Size/MD5: 300696 15bbfae5ba97f27d0c896b886773f02b
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_amd64.deb
Size/MD5: 124032 82fe33e521c7ee08b7a00596acc8cb8d
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_amd64.deb
Size/MD5: 342596 40acd4d59e72be79a5c930254bee0223
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_amd64.deb
Size/MD5: 114396 5e5c7a86cec5ef70f927cbf53fffec4d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_i386.udeb
Size/MD5: 159988 7c2cd082adad4cdae500b88b9429ea24
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_i386.deb
Size/MD5: 221966 92748d084525779ad31fe09ae76ca8d5
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_i386.deb
Size/MD5: 281564 0e64a350c9599b473f42949dbaa44533
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_i386.deb
Size/MD5: 109818 5ef8d14534865cdf0b63699e54ab684a
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_i386.deb
Size/MD5: 318748 205746468ea8d58f1babe96c28f46983
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_i386.deb
Size/MD5: 103376 15e19ab3867304e29f59f3e97170f145
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_lpia.udeb
Size/MD5: 158248 1ce010480a0ea9a1a8683995ab5c9b68
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_lpia.deb
Size/MD5: 220236 d0c1551dde51da5503fe3be6288a23bb
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_lpia.deb
Size/MD5: 279790 cf35fa8aaca649fd85366e684628a580
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_lpia.deb
Size/MD5: 109062 d1ff75192f05906028ac9001483529da
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_lpia.deb
Size/MD5: 316576 6f95deb3879a7c38c0f9cd1ba1ff0228
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_lpia.deb
Size/MD5: 102310 d4b1c32f8c1d1a6383fc09580e46ec79
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_powerpc.udeb
Size/MD5: 177278 29a10d5d08bc3797b67770a4028758ff
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_powerpc.deb
Size/MD5: 242046 27324a8f5623a94ff813148a5267fb4b
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_powerpc.deb
Size/MD5: 296498 4b8af066dc6c2481e4ff360800c04e74
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_powerpc.deb
Size/MD5: 122548 9ad8db4fbd23f1760d1bc123b01f014b
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_powerpc.deb
Size/MD5: 341860 28075deaecbdc1d77166dcb1623a8c85
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_powerpc.deb
Size/MD5: 112934 766413326d6486146da4aec03a2654bc
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_sparc.udeb
Size/MD5: 156574 742d54969d6dd68e7ac86ca00e1b1832
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_sparc.deb
Size/MD5: 218754 60013fe472200e1bf45d9b02d80a244e
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_sparc.deb
Size/MD5: 277066 bf1034124c51ddacf732c2887957a46e
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_sparc.deb
Size/MD5: 113494 b50639e27d92c0ababba9fab23242d7d
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_sparc.deb
Size/MD5: 313426 b93d5ec9d7ea9717a79d6bf2bb80a285
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_sparc.deb
Size/MD5: 102930 df99654fbd9e6f5aba7f962adb9d6470
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.2-1ubuntu7.2.diff.gz
Size/MD5: 141611 0cab5bee752928f3c9f0c8e1ded26167
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.2-1ubuntu7.2.dsc
Size/MD5: 1955 a26905456538cd0d30e924e488302fc4
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.2.orig.tar.gz
Size/MD5: 799626 85901a9554650030df7d1ef3e5959fdf
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp-client_3.1.2-1ubuntu7.2_all.deb
Size/MD5: 26206 905e286082551fcbc23916052de7e2fa
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_amd64.udeb
Size/MD5: 208604 5bb8643607d5f416205174f97d443e8e
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_amd64.deb
Size/MD5: 270930 fa0267775f2471f0be30499bf121b6e7
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_amd64.deb
Size/MD5: 332152 ee101e67b7ad97bd410e983da115484d
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_amd64.deb
Size/MD5: 127130 0d4b4a1dc992d56f8c01d94990290910
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_amd64.deb
Size/MD5: 395062 a5ab658903283a97dd658e5cdfe6a45e
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_amd64.deb
Size/MD5: 125444 6f12bfb86b46567aa8e2ecba8af1852e
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_amd64.deb
Size/MD5: 348242 8fe33e4a7afac6d5a952d0c158d7ed45
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_i386.udeb
Size/MD5: 191210 64285abd7e68c517eefcf3ff5eecb909
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_i386.deb
Size/MD5: 252916 749769cec2a5d0cdfe5ddb67e6864270
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_i386.deb
Size/MD5: 315850 e0deb4932a763831adc3e73cf0f068fa
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_i386.deb
Size/MD5: 116650 434d9e26a1b3b5a4b5fd94bea2c581b4
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_i386.deb
Size/MD5: 372288 481d9d80e948895969b72be4b825fbb8
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_i386.deb
Size/MD5: 116424 49010850bef64719353588c5d88e6714
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_i386.deb
Size/MD5: 326174 7f328cba4c811d5d56582328f1ad6b1d
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_armel.udeb
Size/MD5: 174400 4ed674aa3f13c4c4012def78b6cfd62f
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_armel.deb
Size/MD5: 236228 c14a8f75dc70e363afb2e39b9b6c9b68
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_armel.deb
Size/MD5: 300026 8183f7371713d8ddc8bd2b8f8d979794
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_armel.deb
Size/MD5: 112806 41dcceea5abd7feac4f1f7465b3892b7
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_armel.deb
Size/MD5: 349366 ea2f47d49b065c252caeb33d9d273363
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_armel.deb
Size/MD5: 108672 f277fadf0e50c5325b20f8001f30108a
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_armel.deb
Size/MD5: 301210 76887fde4612e80131c94a00b328a874
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_lpia.udeb
Size/MD5: 187330 e70af0ba0633b7a10c666f2f2e30b017
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_lpia.deb
Size/MD5: 249154 bde848f0444ac204f0781d848771b2e7
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_lpia.deb
Size/MD5: 312056 e131e50d9159fb5a7cf92bd7532c6d5b
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_lpia.deb
Size/MD5: 115610 6bf9bc6ccc3986f7bda77f6e0929bd2b
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_lpia.deb
Size/MD5: 368276 a5d4ce07f31b702817fb3d3961fd8a7b
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_lpia.deb
Size/MD5: 114588 d030b6a51bf6eb1b682c88fcfc92cdda
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_lpia.deb
Size/MD5: 321710 5c51aac0b4ea78167072cce854d63f47
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_powerpc.udeb
Size/MD5: 199998 aff548b71963695089f418a502bc5e01
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_powerpc.deb
Size/MD5: 262344 a4799a7b4c6d6d91120ef36537485080
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_powerpc.deb
Size/MD5: 324014 c6be94d8dda2d47ea08c3f1277160eda
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_powerpc.deb
Size/MD5: 120394 4b35e8aa5a363a659daa6232a0a76501
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_powerpc.deb
Size/MD5: 382434 9c71333d4f8ccc12d14996fa42ba60b7
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_powerpc.deb
Size/MD5: 120310 32c5affaeb955349a26cae2bd9c92236
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_powerpc.deb
Size/MD5: 335902 5460f8f32a30489940cf69855983ed3c
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_sparc.udeb
Size/MD5: 203458 038c030a32c3d74e3d20cb4f8eaf5336
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_sparc.deb
Size/MD5: 265862 67e06c4f7f5352a3248060245f41837c
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_sparc.deb
Size/MD5: 324634 873eeaf81f86f69e1de8f2c9c2335fda
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_sparc.deb
Size/MD5: 116874 4583b6c0cd5cf6abf8fc81ae1c5656a2
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_sparc.deb
Size/MD5: 387388 d31379a7fe21d36761ce6d6e01d51ba7
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_sparc.deb
Size/MD5: 121616 62ed8721ad7cfe9f45448c321be12340
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_sparc.deb
Size/MD5: 341160 9e72b31fccc6ca7d33fcf814f7cca8be
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu3.1.diff.gz
Size/MD5: 145049 762c8d99c1e8e1245830ff0cfc9c22cf
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu3.1.dsc
Size/MD5: 1950 6fc0ed0a5f2f2897b25cb127fdf599bb
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3.orig.tar.gz
Size/MD5: 804097 6ee8af8b283c95b3b4db5e88b6dd9a26
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp-client_3.1.3-2ubuntu3.1_all.deb
Size/MD5: 27294 5873371bf57e765fd69a49ab238f7f5f
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_amd64.udeb
Size/MD5: 208924 47388e6df5a8a88758f893f0157f7a49
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_amd64.deb
Size/MD5: 273438 3e968127e7212b682e23422ccd498a51
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_amd64.deb
Size/MD5: 335524 c2231ce6ce81fa1a61f33b50879ea8e7
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_amd64.deb
Size/MD5: 127748 31baa39d20b53e7200b146bb5e1dbc7a
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_amd64.deb
Size/MD5: 396594 05f2652d1223dbbf59bcfdb86503ec81
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_amd64.deb
Size/MD5: 126830 2017ee773f9e4c4136e6604003978a72
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_amd64.deb
Size/MD5: 349758 3a07e9f0c5b36e05024e98f2e01e7a36
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_i386.udeb
Size/MD5: 191468 7efe2e4b59392afda8ef1c8d69aa04cd
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_i386.deb
Size/MD5: 256600 1b24883c7ee056fcbcda20cc1d82673e
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_i386.deb
Size/MD5: 318512 8ad3080333f5d86ad40548de9cfced43
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_i386.deb
Size/MD5: 118816 c679db32ae992ca9f6fc5473e81df94a
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_i386.deb
Size/MD5: 376744 e3b708777fcd15c84240e43bf08b5d7e
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_i386.deb
Size/MD5: 117698 b0dfb728d6d9f69c9af3910744b1fbb8
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_i386.deb
Size/MD5: 328168 617edc965494055443d2c43326c411d7
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_armel.udeb
Size/MD5: 180926 3969ae580d52c38b45d63ac388cbbe4d
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_armel.deb
Size/MD5: 246116 4956ee0ca5be72ee8ece1cd89ccf5082
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_armel.deb
Size/MD5: 309348 c8567f86659a5670b6c7167a106bf71a
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_armel.deb
Size/MD5: 115350 023f49615f6ca0a8f2367e816921fa8d
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_armel.deb
Size/MD5: 361242 b8e92e0d7ee35dccf62349627513b3d5
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_armel.deb
Size/MD5: 113136 ecc1eca1107bf3d2a85145c87800f0a9
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_armel.deb
Size/MD5: 314078 a09784b9e5545593b771e8db596b70ad
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_powerpc.udeb
Size/MD5: 200432 0db5e288252f7cec9511aeedd6328a87
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_powerpc.deb
Size/MD5: 265410 78eb3d25b509d5d3669a33bf8603b0df
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_powerpc.deb
Size/MD5: 327180 9d47f9f6bd35ebd5e53e68ff8cf27473
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_powerpc.deb
Size/MD5: 121552 7d955d50534795154e471aea30341fe1
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_powerpc.deb
Size/MD5: 385370 dd7f5ffd85a725a8cb4f8fe6a067d0bb
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_powerpc.deb
Size/MD5: 121446 0ccdd1ca74fcd96be84596ce324f967e
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_powerpc.deb
Size/MD5: 337410 54549752057dc73a3e35a158b871ea36
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_sparc.udeb
Size/MD5: 212712 be3c531c2fffd6ad83501e44015a3532
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_sparc.deb
Size/MD5: 277974 5a9ee5790cc705c845cd085c71d001b5
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_sparc.deb
Size/MD5: 335174 22b404e90f206772c786f968392ecef1
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_sparc.deb
Size/MD5: 121764 97643d01dd5dd3eb06859cb881312e6d
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_sparc.deb
Size/MD5: 402564 889e3a0882bebb5b4ceb4df3c805d883
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_sparc.deb
Size/MD5: 126888 546ab5281e2ba4672471a30fce814e36
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_sparc.deb
Size/MD5: 353712 64fcbf89ca8fd7af9aa2a9bd66739170
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu6.1.diff.gz
Size/MD5: 151417 604106743c8429a59b9b8af55de854f7
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu6.1.dsc
Size/MD5: 1962 792f947b2a6c3020c45ca1b56771c77e
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3.orig.tar.gz
Size/MD5: 804097 6ee8af8b283c95b3b4db5e88b6dd9a26
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp-client_3.1.3-2ubuntu6.1_all.deb
Size/MD5: 27778 319b0ce429e455b13a2248cc2cbe3491
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_amd64.udeb
Size/MD5: 208588 f4d4d2a63016b2b9960654be7c04b9c5
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_amd64.deb
Size/MD5: 274192 4005626ae7c8ed06bf15a1e014968ebd
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_amd64.deb
Size/MD5: 335392 3f745248ea2b2c54e1771f1789cd13dc
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_amd64.deb
Size/MD5: 128922 dc2dd29ead86d887a22da63f27ae9692
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_amd64.deb
Size/MD5: 398270 ffd780e99cb19cc3884703ec930a68cb
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_amd64.deb
Size/MD5: 126752 a4d3f03e0855ce6ef4cf6a75f33198d1
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_amd64.deb
Size/MD5: 349942 430e5e501488da92c3b4e2f2a685912a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_i386.udeb
Size/MD5: 190312 23ced3137d0e056d9ce13dd41e656af3
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_i386.deb
Size/MD5: 255768 07cfc1c5db7b6d8585e9a00513699049
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_i386.deb
Size/MD5: 317854 f9a58ae40c5f2645e17e2a9349f07edf
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_i386.deb
Size/MD5: 119094 9af94d26ecd3ce03c9d059ab8db5ff46
http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_i386.deb
Size/MD5: 376052 2dd5ab42f28d13baab1d332c92fcdbcf
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_i386.deb
Size/MD5: 117472 9638997daef5f353621a3adea0f054d5
http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_i386.deb
Size/MD5: 327368 93d8a202391be7d55484901a7fa00f09
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_armel.udeb
Size/MD5: 191162 ea1961dc40672d12302dcb3e0ae62c44
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_armel.deb
Size/MD5: 256344 fd6d84d8ca333a1e0cc0efc4c26df7cb
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_armel.deb
Size/MD5: 319110 4ed5fb07ce8a4997c1132f96e4c29e39
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_armel.deb
Size/MD5: 118586 ade0a8cfa1217ae39ff58bea47e4faa0
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_armel.deb
Size/MD5: 377976 7f26e7b4442f8b17b8178fc7b44e6720
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_armel.deb
Size/MD5: 118802 ee96894319dbf620dbf981a2493cefa0
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_armel.deb
Size/MD5: 328204 3a65c3fb55385716b19bbb6fce72ab07
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_powerpc.udeb
Size/MD5: 199526 1a984e2503c1a015134cf94e273b768a
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_powerpc.deb
Size/MD5: 264952 7a2139af6f6681dae88cd826c04ce61e
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_powerpc.deb
Size/MD5: 326646 8a1aaf899283814de8b8bcca6125576d
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_powerpc.deb
Size/MD5: 121952 90719742a1e133ae5edb9c5d6e72ad06
http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_powerpc.deb
Size/MD5: 384922 1cb9a8d40d9405b061b28cd2236d3acd
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_powerpc.deb
Size/MD5: 121542 81b420f37a81e5a05e5aadeaf1cb47c3
http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_powerpc.deb
Size/MD5: 336918 26cba2f6096556526ce2a64556f571e5
|
|
var-201804-1179
|
An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of RenderObject objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. WebKit is one of the web browser engine components. A security vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple iOS prior to 11.3; Safari prior to 11.1; Windows-based iCloud prior to 7.4; Windows-based iTunes prior to 12.7.4; tvOS prior to 11.3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201808-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WebkitGTK+: Multiple vulnerabilities
Date: August 22, 2018
Bugs: #652820, #658168, #662974
ID: 201808-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in WebKitGTK+, the worst of
which may lead to arbitrary code execution.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from
hybrid HTML/CSS applications to full-fledged web browsers.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.20.4 >= 2.20.4
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebkitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.20.4"
References
==========
[ 1 ] CVE-2018-11646
https://nvd.nist.gov/vuln/detail/CVE-2018-11646
[ 2 ] CVE-2018-11712
https://nvd.nist.gov/vuln/detail/CVE-2018-11712
[ 3 ] CVE-2018-11713
https://nvd.nist.gov/vuln/detail/CVE-2018-11713
[ 4 ] CVE-2018-12293
https://nvd.nist.gov/vuln/detail/CVE-2018-12293
[ 5 ] CVE-2018-12294
https://nvd.nist.gov/vuln/detail/CVE-2018-12294
[ 6 ] CVE-2018-4101
https://nvd.nist.gov/vuln/detail/CVE-2018-4101
[ 7 ] CVE-2018-4113
https://nvd.nist.gov/vuln/detail/CVE-2018-4113
[ 8 ] CVE-2018-4114
https://nvd.nist.gov/vuln/detail/CVE-2018-4114
[ 9 ] CVE-2018-4117
https://nvd.nist.gov/vuln/detail/CVE-2018-4117
[ 10 ] CVE-2018-4118
https://nvd.nist.gov/vuln/detail/CVE-2018-4118
[ 11 ] CVE-2018-4119
https://nvd.nist.gov/vuln/detail/CVE-2018-4119
[ 12 ] CVE-2018-4120
https://nvd.nist.gov/vuln/detail/CVE-2018-4120
[ 13 ] CVE-2018-4121
https://nvd.nist.gov/vuln/detail/CVE-2018-4121
[ 14 ] CVE-2018-4122
https://nvd.nist.gov/vuln/detail/CVE-2018-4122
[ 15 ] CVE-2018-4125
https://nvd.nist.gov/vuln/detail/CVE-2018-4125
[ 16 ] CVE-2018-4127
https://nvd.nist.gov/vuln/detail/CVE-2018-4127
[ 17 ] CVE-2018-4128
https://nvd.nist.gov/vuln/detail/CVE-2018-4128
[ 18 ] CVE-2018-4129
https://nvd.nist.gov/vuln/detail/CVE-2018-4129
[ 19 ] CVE-2018-4133
https://nvd.nist.gov/vuln/detail/CVE-2018-4133
[ 20 ] CVE-2018-4146
https://nvd.nist.gov/vuln/detail/CVE-2018-4146
[ 21 ] CVE-2018-4162
https://nvd.nist.gov/vuln/detail/CVE-2018-4162
[ 22 ] CVE-2018-4163
https://nvd.nist.gov/vuln/detail/CVE-2018-4163
[ 23 ] CVE-2018-4165
https://nvd.nist.gov/vuln/detail/CVE-2018-4165
[ 24 ] CVE-2018-4190
https://nvd.nist.gov/vuln/detail/CVE-2018-4190
[ 25 ] CVE-2018-4192
https://nvd.nist.gov/vuln/detail/CVE-2018-4192
[ 26 ] CVE-2018-4199
https://nvd.nist.gov/vuln/detail/CVE-2018-4199
[ 27 ] CVE-2018-4200
https://nvd.nist.gov/vuln/detail/CVE-2018-4200
[ 28 ] CVE-2018-4201
https://nvd.nist.gov/vuln/detail/CVE-2018-4201
[ 29 ] CVE-2018-4204
https://nvd.nist.gov/vuln/detail/CVE-2018-4204
[ 30 ] CVE-2018-4214
https://nvd.nist.gov/vuln/detail/CVE-2018-4214
[ 31 ] CVE-2018-4218
https://nvd.nist.gov/vuln/detail/CVE-2018-4218
[ 32 ] CVE-2018-4222
https://nvd.nist.gov/vuln/detail/CVE-2018-4222
[ 33 ] CVE-2018-4232
https://nvd.nist.gov/vuln/detail/CVE-2018-4232
[ 34 ] CVE-2018-4233
https://nvd.nist.gov/vuln/detail/CVE-2018-4233
[ 35 ] CVE-2018-4261
https://nvd.nist.gov/vuln/detail/CVE-2018-4261
[ 36 ] CVE-2018-4262
https://nvd.nist.gov/vuln/detail/CVE-2018-4262
[ 37 ] CVE-2018-4263
https://nvd.nist.gov/vuln/detail/CVE-2018-4263
[ 38 ] CVE-2018-4264
https://nvd.nist.gov/vuln/detail/CVE-2018-4264
[ 39 ] CVE-2018-4265
https://nvd.nist.gov/vuln/detail/CVE-2018-4265
[ 40 ] CVE-2018-4266
https://nvd.nist.gov/vuln/detail/CVE-2018-4266
[ 41 ] CVE-2018-4267
https://nvd.nist.gov/vuln/detail/CVE-2018-4267
[ 42 ] CVE-2018-4270
https://nvd.nist.gov/vuln/detail/CVE-2018-4270
[ 43 ] CVE-2018-4272
https://nvd.nist.gov/vuln/detail/CVE-2018-4272
[ 44 ] CVE-2018-4273
https://nvd.nist.gov/vuln/detail/CVE-2018-4273
[ 45 ] CVE-2018-4278
https://nvd.nist.gov/vuln/detail/CVE-2018-4278
[ 46 ] CVE-2018-4284
https://nvd.nist.gov/vuln/detail/CVE-2018-4284
[ 47 ] WebKitGTK+ Security Advisory WSA-2018-0003
https://webkitgtk.org/security/WSA-2018-0003.html
[ 48 ] WebKitGTK+ Security Advisory WSA-2018-0004
https://webkitgtk.org/security/WSA-2018-0004.html
[ 49 ] WebKitGTK+ Security Advisory WSA-2018-0005
https://webkitgtk.org/security/WSA-2018-0005.html
[ 50 ] WebKitGTK+ Security Advisory WSA-2018-0006
https://webkitgtk.org/security/WSA-2018-0006.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201808-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2018-0003
------------------------------------------------------------------------
Date reported : April 04, 2018
Advisory ID : WSA-2018-0003
Advisory URL : https://webkitgtk.org/security/WSA-2018-0003.html
CVE identifiers : CVE-2018-4101, CVE-2018-4113, CVE-2018-4114,
CVE-2018-4117, CVE-2018-4118, CVE-2018-4119,
CVE-2018-4120, CVE-2018-4122, CVE-2018-4125,
CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
CVE-2018-4133, CVE-2018-4146, CVE-2018-4161,
CVE-2018-4162, CVE-2018-4163, CVE-2018-4165.
Several vulnerabilities were discovered in WebKitGTK+.
Credit to Yuan Deng of Ant-financial Light-Year Security Lab. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to OSS-Fuzz.
Impact: Unexpected interaction with indexing types causing an ASSERT
failure. Description: An array indexing issue existed in the
handling of a function in JavaScriptCore. This issue was addressed
through improved checks.
Credit to OSS-Fuzz. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to an anonymous researcher.
Impact: A malicious website may exfiltrate data cross-origin.
Description: A cross-origin issue existed with the fetch API. This
was addressed through improved input validation.
Credit to Jun Kokatsu (@shhnjk). Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to an anonymous researcher working with Trend Microys Zero
Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to an anonymous researcher working with Trend Microys Zero
Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to Zach Markley. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to likemeng of Baidu Security Lab working with Trend Micro's
Zero Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to Anton Lopanitsyn of Wallarm, Linus Sarud of Detectify
(detectify.com), Yuji Tounai of NTT Communications Corporation.
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack. This issue was addressed with improved URL
validation.
Credit to OSS-Fuzz.
Impact: Processing maliciously crafted web content may lead to a
denial of service. Description: A memory corruption issue was
addressed through improved input validation.
Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Description: Multiple memory corruption
issues were addressed with improved memory handling.
Credit to Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team. Description: Multiple memory corruption
issues were addressed with improved memory handling.
We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.
Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html
The WebKitGTK+ team,
April 04, 2018
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2018-3-29-1 iOS 11.3
iOS 11.3 is now available and addresses the following:
Clock
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
see the email address used for iTunes
Description: An information disclosure issue existed in the handling
of alarms and timers.
CVE-2018-4123: Zaheen Hafzar M M (@zaheenhafzer)
CoreFoundation
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4155: Samuel GroA (@5aelo)
CVE-2018-4158: Samuel GroA (@5aelo)
CoreText
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted string may lead to a denial
of service
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2018-4142: Robin Leroy of Google Switzerland GmbH
File System Events
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4167: Samuel GroA (@5aelo)
Files Widget
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: File Widget may display contents on a locked device
Description: The File Widget was displaying cached data when in the
locked state.
CVE-2018-4168: Brandon Moore
Find My iPhone
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description: A state management issue existed when restoring from a
back up.
CVE-2018-4172: Viljami VastamA$?ki
iCloud Drive
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4151: Samuel GroA (@5aelo)
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4150: an anonymous researcher
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4104: The UK's National Cyber Security Centre (NCSC)
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4143: derrek (@derrekr6)
Mail
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker in a privileged network position may be able to
intercept the contents of S/MIME-encrypted e-mail
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4174: an anonymous researcher, an anonymous researcher
NSURLSession
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4166: Samuel GroA (@5aelo)
PluginKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4156: Samuel GroA (@5aelo)
Quick Look
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4157: Samuel GroA (@5aelo)
Safari
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4134: xisigr of Tencent's Xuanwu Lab (tencent.com), Zhiyang
Zeng (@Wester) of Tencent Security Platform Department
Safari Login AutoFill
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious website may be able to exfiltrate autofilled data
in Safari without explicit user interaction.
Description: Safari autofill did not require explicit user
interaction before taking place.
CVE-2018-4137:
SafariViewController
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: A state management issue was addressed by disabling text
input until the destination page loads.
CVE-2018-4149: Abhinash Jain (@abhinashjain)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2018-4144: Abraham Masri (@cheesecakeufo)
Storage
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4154: Samuel GroA (@5aelo)
System Preferences
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A configuration profile may incorrectly remain in effect
after removal
Description: An issue existed in CFPreferences.
CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of
Wandera
Telephony
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A remote attacker can cause a device to unexpectedly restart
Description: A null pointer dereference issue existed when handling
Class 0 SMS messages.
CVE-2018-4140: @mjonsson, Arjan van der Oest of Voiceworks BV
Web App
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Cookies may unexpectedly persist in web app
Description: A cookie management issue was addressed through improved
state management.
CVE-2018-4110: Ben Compton and Jason Colley of Cerner Corporation
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4146: found by OSS-Fuzz
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with the fetch API.
CVE-2018-4117: an anonymous researcher, an anonymous researcher
WindowServer
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An unprivileged application may be able to log keystrokes
entered into other applications even when secure input mode is
enabled
Description: By scanning key states, an unprivileged application
could log keystrokes entered into other applications even when secure
input mode was enabled.
CVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH
Additional recognition
WebKit
We would like to acknowledge Johnny Nipper of Tinder Security Team
for their assistance.
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlq9GlopHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEbhLRAA
to9k0U/CI3PfYp2o2lluS7LgE3jvA7+pXvdjbvoh14BFHf9Wv+yhdtyLQEDSne+0
TM8BkiMgEmo+uKKcVFCDeV9GrkWqO7ocBfT65hj4A/vxPAS6xlBTV9mjZXiqvSWs
+Cbb4Nd53o6m2QRORkjNVZ2h0ow53J5RirnyzjWt4LMdCpc4jMG87OCuQheKzjxq
g6gOlwblVrRxH6aMX5if/SetGGxzZeY5sKwe1Xhz6yIYsm1Gw45REt3FJs4KEh5Z
oL+yWVvaGLOPDzC+DBX0dXJmsqLx9wzDJsqQ2J6Mb/nh1Tgh6NDdHkDCAZ7P6CeU
0IpXK7aaPkRy5GUbkAdzdPEFql9e0/jGlqMf/rZlNTItbgtn0+9e2zsJ0UPPRcWi
+7IQygkXnXmYUZ0wrh/Wdye/jAJZpLdsUuWr1RalTdmDASU/tzgpoglf3EyTQoRy
IqFGRSe6+no8Pw1qCLUvZz8C6dTKvE+Jv5oe9XbCEjsvpRmQZK64FiQ0HIaAMHKo
Rl9OY6+evzyqdAtivE4AFCRT7Z15pktFYAVefWkdVFbVU2mCYF+peXIq6tGg4o+g
70E29XaDZBakcVho9bW4e2rDA+m606ILuZ4AyjEEvfRYH+d+WTvDqdIywq0V7grj
qlU787sRw/tVx646jcHVqbYZEgZVmeAvcT8C2c0Zhvo=
=RJi8
-----END PGP SIGNATURE-----
. ==========================================================================
Ubuntu Security Notice USN-3635-1
April 30, 2018
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
libjavascriptcoregtk-4.0-18 2.20.1-0ubuntu0.17.10.1
libwebkit2gtk-4.0-37 2.20.1-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
libjavascriptcoregtk-4.0-18 2.20.1-0ubuntu0.16.04.1
libwebkit2gtk-4.0-37 2.20.1-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3635-1
CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117,
CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122,
CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162,
CVE-2018-4163, CVE-2018-4165
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.20.1-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.20.1-0ubuntu0.16.04.1
|
|
var-201110-0388
|
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3556. Oracle Java SE is prone to a remote vulnerability in Java Runtime Environment.
The vulnerability can be exploited over multiple protocols. This issue affects the 'RMI' sub-component.
This vulnerability affects the following supported versions:
JDK and JRE 7, 6 Update 27, 5.0 Update 31, 1.4.2_33, JRockit R28.1.4. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: November 05, 2011
Bugs: #340421, #354213, #370559, #387851
ID: 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jre-bin < 1.6.0.29 >= 1.6.0.29 *
2 app-emulation/emul-linux-x86-java
< 1.6.0.29 >= 1.6.0.29 *
3 dev-java/sun-jdk < 1.6.0.29 >= 1.6.0.29 *
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
3 affected packages
-------------------------------------------------------------------
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29"
All Oracle JRE 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29"
All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to
the latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.6.0.29"
NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
This limitation is not present on a non-fetch restricted implementation
such as dev-java/icedtea-bin.
References
==========
[ 1 ] CVE-2010-3541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
[ 2 ] CVE-2010-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
[ 3 ] CVE-2010-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
[ 4 ] CVE-2010-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3550
[ 5 ] CVE-2010-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
[ 6 ] CVE-2010-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3552
[ 7 ] CVE-2010-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
[ 8 ] CVE-2010-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
[ 9 ] CVE-2010-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3555
[ 10 ] CVE-2010-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3556
[ 11 ] CVE-2010-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
[ 12 ] CVE-2010-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3558
[ 13 ] CVE-2010-3559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3559
[ 14 ] CVE-2010-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3560
[ 15 ] CVE-2010-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
[ 16 ] CVE-2010-3562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
[ 17 ] CVE-2010-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3563
[ 18 ] CVE-2010-3565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
[ 19 ] CVE-2010-3566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
[ 20 ] CVE-2010-3567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
[ 21 ] CVE-2010-3568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
[ 22 ] CVE-2010-3569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
[ 23 ] CVE-2010-3570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3570
[ 24 ] CVE-2010-3571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3571
[ 25 ] CVE-2010-3572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3572
[ 26 ] CVE-2010-3573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
[ 27 ] CVE-2010-3574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
[ 28 ] CVE-2010-4422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422
[ 29 ] CVE-2010-4447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447
[ 30 ] CVE-2010-4448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
[ 31 ] CVE-2010-4450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
[ 32 ] CVE-2010-4451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451
[ 33 ] CVE-2010-4452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452
[ 34 ] CVE-2010-4454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454
[ 35 ] CVE-2010-4462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462
[ 36 ] CVE-2010-4463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463
[ 37 ] CVE-2010-4465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
[ 38 ] CVE-2010-4466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466
[ 39 ] CVE-2010-4467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
[ 40 ] CVE-2010-4468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468
[ 41 ] CVE-2010-4469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
[ 42 ] CVE-2010-4470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
[ 43 ] CVE-2010-4471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
[ 44 ] CVE-2010-4472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
[ 45 ] CVE-2010-4473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473
[ 46 ] CVE-2010-4474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474
[ 47 ] CVE-2010-4475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475
[ 48 ] CVE-2010-4476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
[ 49 ] CVE-2011-0802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802
[ 50 ] CVE-2011-0814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814
[ 51 ] CVE-2011-0815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
[ 52 ] CVE-2011-0862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
[ 53 ] CVE-2011-0863
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863
[ 54 ] CVE-2011-0864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
[ 55 ] CVE-2011-0865
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
[ 56 ] CVE-2011-0867
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867
[ 57 ] CVE-2011-0868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
[ 58 ] CVE-2011-0869
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
[ 59 ] CVE-2011-0871
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
[ 60 ] CVE-2011-0872
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
[ 61 ] CVE-2011-0873
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873
[ 62 ] CVE-2011-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 63 ] CVE-2011-3516
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516
[ 64 ] CVE-2011-3521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
[ 65 ] CVE-2011-3544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
[ 66 ] CVE-2011-3545
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545
[ 67 ] CVE-2011-3546
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546
[ 68 ] CVE-2011-3547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
[ 69 ] CVE-2011-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
[ 70 ] CVE-2011-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549
[ 71 ] CVE-2011-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550
[ 72 ] CVE-2011-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
[ 73 ] CVE-2011-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
[ 74 ] CVE-2011-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
[ 75 ] CVE-2011-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
[ 76 ] CVE-2011-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555
[ 77 ] CVE-2011-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
[ 78 ] CVE-2011-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
[ 79 ] CVE-2011-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
[ 80 ] CVE-2011-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
[ 81 ] CVE-2011-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Hitachi Cosminexus Products Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46694
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46694/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46694
RELEASE DATE:
2011-11-08
DISCUSS ADVISORY:
http://secunia.com/advisories/46694/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46694/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46694
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Hitachi has acknowledged multiple vulnerabilities in Hitachi
Cosminexus products, which can be exploited by malicious users to
disclose certain information and by malicious people to disclose
potentially sensitive information, hijack a user's session, conduct
DNS cache poisoning attacks, manipulate certain data, cause a DoS
(Denial of Service), and compromise a vulnerable system.
The vulnerabilities are caused due to vulnerabilities in the bundled
version of Cosminexus Developer's Kit for Java.
For more information:
SA46512
Please see the vendor's advisory for a list of affected products. Please see the vendor's advisory for
details.
ORIGINAL ADVISORY:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-024/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
CVE-2011-3547
The skip() method in java.io.InputStream uses a shared buffer,
allowing untrusted Java code (such as applets) to access data
that is skipped by other code.
CVE-2011-3553
JAX-WS enables stack traces for certain server responses by
default, potentially leaking sensitive information.
For the stable distribution (squeeze), this problem has been fixed in
version 6b18-1.8.10-0+squeeze1.
For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 6b23~pre11-1. ==========================================================================
Ubuntu Security Notice USN-1263-1
November 16, 2011
icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
Multiple OpenJDK 6 and IcedTea-Web vulnerabilities have been fixed.
Software Description:
- icedtea-web: A web browser plugin to execute Java applets
- openjdk-6: Open Source Java implementation
- openjdk-6b18: Open Source Java implementation
Details:
Deepak Bhole discovered a flaw in the Same Origin Policy (SOP)
implementation in the IcedTea web browser plugin. This could allow a
remote attacker to open connections to certain hosts that should
not be permitted. (CVE-2011-3377)
Juliano Rizzo and Thai Duong discovered that the block-wise AES
encryption algorithm block-wise as used in TLS/SSL was vulnerable to
a chosen-plaintext attack. This could allow a remote attacker to view
confidential data. (CVE-2011-3521)
It was discovered that the Java scripting engine did not perform
SecurityManager checks. (CVE-2011-3544)
It was discovered that the InputStream class used a global buffer to
store input bytes skipped. (CVE-2011-3547)
It was discovered that a vulnerability existed in the AWTKeyStroke
class. (CVE-2011-3548)
It was discovered that an integer overflow vulnerability existed
in the TransformHelper class in the Java2D implementation.
(CVE-2011-3556, CVE-2011-3557)
It was discovered that the HotSpot VM could be made to crash, allowing
an attacker to cause a denial of service or possibly leak sensitive
information. (CVE-2011-3558)
It was discovered that the HttpsURLConnection class did not
properly perform SecurityManager checks in certain situations. This
could allow a remote attacker to bypass restrictions on HTTPS
connections. (CVE-2011-3560)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
icedtea-6-jre-cacao 6b23~pre11-0ubuntu1.11.10
icedtea-6-jre-jamvm 6b23~pre11-0ubuntu1.11.10
icedtea-netx 1.1.3-1ubuntu1.1
icedtea-plugin 1.1.3-1ubuntu1.1
openjdk-6-jre 6b23~pre11-0ubuntu1.11.10
openjdk-6-jre-headless 6b23~pre11-0ubuntu1.11.10
openjdk-6-jre-lib 6b23~pre11-0ubuntu1.11.10
openjdk-6-jre-zero 6b23~pre11-0ubuntu1.11.10
Ubuntu 11.04:
icedtea-6-jre-cacao 6b22-1.10.4-0ubuntu1~11.04.1
icedtea-6-jre-jamvm 6b22-1.10.4-0ubuntu1~11.04.1
icedtea-netx 1.1.1-0ubuntu1~11.04.2
icedtea-plugin 1.1.1-0ubuntu1~11.04.2
openjdk-6-jre 6b22-1.10.4-0ubuntu1~11.04.1
openjdk-6-jre-headless 6b22-1.10.4-0ubuntu1~11.04.1
openjdk-6-jre-lib 6b22-1.10.4-0ubuntu1~11.04.1
openjdk-6-jre-zero 6b22-1.10.4-0ubuntu1~11.04.1
Ubuntu 10.10:
icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.10.2
openjdk-6-demo 6b20-1.9.10-0ubuntu1~10.10.2
openjdk-6-jdk 6b20-1.9.10-0ubuntu1~10.10.2
openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.10.2
openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.10.2
openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.10.2
openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.10.2
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.04.2
icedtea6-plugin 6b20-1.9.10-0ubuntu1~10.04.2
openjdk-6-demo 6b20-1.9.10-0ubuntu1~10.04.2
openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.04.2
openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.04.2
openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.04.2
openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.04.2
After a standard system update you need to restart any Java applications
or applets to make all the necessary changes. 6) - x86_64
3. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch page, listed in the References section.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running HP JDK and JRE 6.0.12 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-3389 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-3516 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2011-3521 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3544 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3545 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3546 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8
CVE-2011-3547 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-3548 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3549 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3550 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2011-3551 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2011-3552 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6
CVE-2011-3553 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2011-3554 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3556 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-3557 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2011-3558 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-3560 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2011-3561 (AV:A/AC:H/Au:N/C:P/I:N/A:N) 1.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrades to resolve these vulnerabilities. This bulletin will be revised as other upgrades for additional supported Java versions become available.
The upgrades are available from the following location
http://www.hp.com/go/java
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.13 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0.12 and earlier, update to Java v6.0.13 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
action: install revision 1.6.0.13.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 23 January 2012 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.6.0-openjdk security update
Advisory ID: RHSA-2011:1380-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1380.html
Issue date: 2011-10-18
CVE Names: CVE-2011-3389 CVE-2011-3521 CVE-2011-3544
CVE-2011-3547 CVE-2011-3548 CVE-2011-3551
CVE-2011-3552 CVE-2011-3553 CVE-2011-3554
CVE-2011-3556 CVE-2011-3557 CVE-2011-3558
CVE-2011-3560
=====================================================================
1. Summary:
Updated java-1.6.0-openjdk packages that fix several security issues are
now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.
A flaw was found in the Java RMI (Remote Method Invocation) registry
implementation. A remote RMI client could use this flaw to execute
arbitrary code on the RMI server running the registry. (CVE-2011-3556)
A flaw was found in the Java RMI registry implementation. A remote RMI
client could use this flaw to execute code on the RMI server with
unrestricted privileges. (CVE-2011-3557)
A flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization
code. An untrusted Java application or applet running in a sandbox could
use this flaw to bypass sandbox restrictions by deserializing
specially-crafted input. (CVE-2011-3521)
It was found that the Java ScriptingEngine did not properly restrict the
privileges of sandboxed applications. An untrusted Java application or
applet running in a sandbox could use this flaw to bypass sandbox
restrictions. (CVE-2011-3544)
A flaw was found in the AWTKeyStroke implementation. An untrusted Java
application or applet running in a sandbox could use this flaw to bypass
sandbox restrictions. (CVE-2011-3548)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the Java2D code used to perform transformations of graphic shapes
and images. An untrusted Java application or applet running in a sandbox
could use this flaw to bypass sandbox restrictions. (CVE-2011-3551)
An insufficient error checking flaw was found in the unpacker for JAR files
in pack200 format. A specially-crafted JAR file could use this flaw to
crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code
with JVM privileges. (CVE-2011-3554)
It was found that HttpsURLConnection did not perform SecurityManager checks
in the setSSLSocketFactory method. An untrusted Java application or applet
running in a sandbox could use this flaw to bypass connection restrictions
defined in the policy. (CVE-2011-3560)
A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block
ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a
chosen plain text attack against a connection mixing trusted and untrusted
data could use this flaw to recover portions of the trusted data sent over
the connection. (CVE-2011-3389)
Note: This update mitigates the CVE-2011-3389 issue by splitting the first
application data record byte to a separate SSL/TLS protocol record. This
mitigation may cause compatibility issues with some SSL/TLS implementations
and can be disabled using the jsse.enableCBCProtection boolean property.
This can be done on the command line by appending the flag
"-Djsse.enableCBCProtection=false" to the java command.
An information leak flaw was found in the InputStream.skip implementation.
An untrusted Java application or applet could possibly use this flaw to
obtain bytes skipped by other threads. (CVE-2011-3547)
A flaw was found in the Java HotSpot virtual machine. An untrusted Java
application or applet could use this flaw to disclose portions of the VM
memory, or cause it to crash. (CVE-2011-3558)
The Java API for XML Web Services (JAX-WS) implementation in OpenJDK was
configured to include the stack trace in error messages sent to clients. A
remote client could possibly use this flaw to obtain sensitive information.
(CVE-2011-3553)
It was found that Java applications running with SecurityManager
restrictions were allowed to use too many UDP sockets by default. If
multiple instances of a malicious application were started at the same
time, they could exhaust all available UDP sockets on the system.
(CVE-2011-3552)
This erratum also upgrades the OpenJDK package to IcedTea6 1.9.10. Refer to
the NEWS file, linked to in the References, for further information.
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
737506 - CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
745379 - CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936)
745387 - CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600)
745391 - CVE-2011-3551 OpenJDK: Java2D TransformHelper integer overflow (2D, 7023640)
745397 - CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417)
745399 - CVE-2011-3544 OpenJDK: missing SecurityManager checks in scripting engine (Scripting, 7046823)
745442 - CVE-2011-3521 OpenJDK: IIOP deserialization code execution (Deserialization, 7055902)
745447 - CVE-2011-3554 OpenJDK: insufficient pack200 JAR files uncompress error checks (Runtime, 7057857)
745459 - CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466)
745464 - CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012)
745473 - CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773)
745476 - CVE-2011-3553 OpenJDK: JAX-WS stack-traces information leak (JAX-WS, 7046794)
745492 - CVE-2011-3558 OpenJDK: Hotspot unspecified issue (Hotspot, 7070134)
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.23.1.9.10.el5_7.src.rpm
i386:
java-1.6.0-openjdk-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.23.1.9.10.el5_7.src.rpm
i386:
java-1.6.0-openjdk-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.23.1.9.10.el5_7.i386.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.23.1.9.10.el5_7.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
i386:
java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
i386:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
i386:
java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
i386:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
i386:
java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1.src.rpm
i386:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.9.10.el6_1.i686.rpm
x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.9.10.el6_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-3389.html
https://www.redhat.com/security/data/cve/CVE-2011-3521.html
https://www.redhat.com/security/data/cve/CVE-2011-3544.html
https://www.redhat.com/security/data/cve/CVE-2011-3547.html
https://www.redhat.com/security/data/cve/CVE-2011-3548.html
https://www.redhat.com/security/data/cve/CVE-2011-3551.html
https://www.redhat.com/security/data/cve/CVE-2011-3552.html
https://www.redhat.com/security/data/cve/CVE-2011-3553.html
https://www.redhat.com/security/data/cve/CVE-2011-3554.html
https://www.redhat.com/security/data/cve/CVE-2011-3556.html
https://www.redhat.com/security/data/cve/CVE-2011-3557.html
https://www.redhat.com/security/data/cve/CVE-2011-3558.html
https://www.redhat.com/security/data/cve/CVE-2011-3560.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://icedtea.classpath.org/hg/release/icedtea6-1.9/file/328afd896e3e/NEWS
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOngvzXlSAg2UNWIIRArb8AKCaS923HYBco1E2eOOedT1aefjmyACgherU
1E1DMZpv3ExBmKhD4Emi2no=
=sMXo
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
|
|
var-201806-1460
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to cause a denial of service (memory corruption and Safari crash) or possibly have unspecified other impact via a crafted web site. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. WebKit is one of the web browser engine components. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201808-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WebkitGTK+: Multiple vulnerabilities
Date: August 22, 2018
Bugs: #652820, #658168, #662974
ID: 201808-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in WebKitGTK+, the worst of
which may lead to arbitrary code execution.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from
hybrid HTML/CSS applications to full-fledged web browsers.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.20.4 >= 2.20.4
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebkitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.20.4"
References
==========
[ 1 ] CVE-2018-11646
https://nvd.nist.gov/vuln/detail/CVE-2018-11646
[ 2 ] CVE-2018-11712
https://nvd.nist.gov/vuln/detail/CVE-2018-11712
[ 3 ] CVE-2018-11713
https://nvd.nist.gov/vuln/detail/CVE-2018-11713
[ 4 ] CVE-2018-12293
https://nvd.nist.gov/vuln/detail/CVE-2018-12293
[ 5 ] CVE-2018-12294
https://nvd.nist.gov/vuln/detail/CVE-2018-12294
[ 6 ] CVE-2018-4101
https://nvd.nist.gov/vuln/detail/CVE-2018-4101
[ 7 ] CVE-2018-4113
https://nvd.nist.gov/vuln/detail/CVE-2018-4113
[ 8 ] CVE-2018-4114
https://nvd.nist.gov/vuln/detail/CVE-2018-4114
[ 9 ] CVE-2018-4117
https://nvd.nist.gov/vuln/detail/CVE-2018-4117
[ 10 ] CVE-2018-4118
https://nvd.nist.gov/vuln/detail/CVE-2018-4118
[ 11 ] CVE-2018-4119
https://nvd.nist.gov/vuln/detail/CVE-2018-4119
[ 12 ] CVE-2018-4120
https://nvd.nist.gov/vuln/detail/CVE-2018-4120
[ 13 ] CVE-2018-4121
https://nvd.nist.gov/vuln/detail/CVE-2018-4121
[ 14 ] CVE-2018-4122
https://nvd.nist.gov/vuln/detail/CVE-2018-4122
[ 15 ] CVE-2018-4125
https://nvd.nist.gov/vuln/detail/CVE-2018-4125
[ 16 ] CVE-2018-4127
https://nvd.nist.gov/vuln/detail/CVE-2018-4127
[ 17 ] CVE-2018-4128
https://nvd.nist.gov/vuln/detail/CVE-2018-4128
[ 18 ] CVE-2018-4129
https://nvd.nist.gov/vuln/detail/CVE-2018-4129
[ 19 ] CVE-2018-4133
https://nvd.nist.gov/vuln/detail/CVE-2018-4133
[ 20 ] CVE-2018-4146
https://nvd.nist.gov/vuln/detail/CVE-2018-4146
[ 21 ] CVE-2018-4162
https://nvd.nist.gov/vuln/detail/CVE-2018-4162
[ 22 ] CVE-2018-4163
https://nvd.nist.gov/vuln/detail/CVE-2018-4163
[ 23 ] CVE-2018-4165
https://nvd.nist.gov/vuln/detail/CVE-2018-4165
[ 24 ] CVE-2018-4190
https://nvd.nist.gov/vuln/detail/CVE-2018-4190
[ 25 ] CVE-2018-4192
https://nvd.nist.gov/vuln/detail/CVE-2018-4192
[ 26 ] CVE-2018-4199
https://nvd.nist.gov/vuln/detail/CVE-2018-4199
[ 27 ] CVE-2018-4200
https://nvd.nist.gov/vuln/detail/CVE-2018-4200
[ 28 ] CVE-2018-4201
https://nvd.nist.gov/vuln/detail/CVE-2018-4201
[ 29 ] CVE-2018-4204
https://nvd.nist.gov/vuln/detail/CVE-2018-4204
[ 30 ] CVE-2018-4214
https://nvd.nist.gov/vuln/detail/CVE-2018-4214
[ 31 ] CVE-2018-4218
https://nvd.nist.gov/vuln/detail/CVE-2018-4218
[ 32 ] CVE-2018-4222
https://nvd.nist.gov/vuln/detail/CVE-2018-4222
[ 33 ] CVE-2018-4232
https://nvd.nist.gov/vuln/detail/CVE-2018-4232
[ 34 ] CVE-2018-4233
https://nvd.nist.gov/vuln/detail/CVE-2018-4233
[ 35 ] CVE-2018-4261
https://nvd.nist.gov/vuln/detail/CVE-2018-4261
[ 36 ] CVE-2018-4262
https://nvd.nist.gov/vuln/detail/CVE-2018-4262
[ 37 ] CVE-2018-4263
https://nvd.nist.gov/vuln/detail/CVE-2018-4263
[ 38 ] CVE-2018-4264
https://nvd.nist.gov/vuln/detail/CVE-2018-4264
[ 39 ] CVE-2018-4265
https://nvd.nist.gov/vuln/detail/CVE-2018-4265
[ 40 ] CVE-2018-4266
https://nvd.nist.gov/vuln/detail/CVE-2018-4266
[ 41 ] CVE-2018-4267
https://nvd.nist.gov/vuln/detail/CVE-2018-4267
[ 42 ] CVE-2018-4270
https://nvd.nist.gov/vuln/detail/CVE-2018-4270
[ 43 ] CVE-2018-4272
https://nvd.nist.gov/vuln/detail/CVE-2018-4272
[ 44 ] CVE-2018-4273
https://nvd.nist.gov/vuln/detail/CVE-2018-4273
[ 45 ] CVE-2018-4278
https://nvd.nist.gov/vuln/detail/CVE-2018-4278
[ 46 ] CVE-2018-4284
https://nvd.nist.gov/vuln/detail/CVE-2018-4284
[ 47 ] WebKitGTK+ Security Advisory WSA-2018-0003
https://webkitgtk.org/security/WSA-2018-0003.html
[ 48 ] WebKitGTK+ Security Advisory WSA-2018-0004
https://webkitgtk.org/security/WSA-2018-0004.html
[ 49 ] WebKitGTK+ Security Advisory WSA-2018-0005
https://webkitgtk.org/security/WSA-2018-0005.html
[ 50 ] WebKitGTK+ Security Advisory WSA-2018-0006
https://webkitgtk.org/security/WSA-2018-0006.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201808-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2018-7-23-3 Additional information for
APPLE-SA-2018-06-01-4 iOS 11.4
iOS 11.4 addresses the following:
Bluetooth
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2018-4215: Abraham Masri (@cheesecakeufo)
Bluetooth
Available for: iPhone X, iPhone 8, iPhone 8 Plus,
iPad 6th generation, and iPad Air 2
Not impacted: HomePod
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2018-5383: Lior Neumann and Eli Biham
Entry added July 23, 2018
Contacts
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted vcf file may lead to a
denial of service
Description: A validation issue existed in the handling of phone
numbers. This issue was addressed with improved validation of phone
numbers.
CVE-2018-4100: Abraham Masri (@cheesecakeufo)
FontParser
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2018-4211: Proteas of Qihoo 360 Nirvan Team
iBooks
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker in a privileged network position may be able to
spoof password prompts in iBooks
Description: An input validation issue was addressed with improved
input validation.
CVE-2018-4202: Jerry Decime
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4249: Kevin Backhouse of Semmle Ltd.
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2018-4241: Ian Beer of Google Project Zero
CVE-2018-4243: Ian Beer of Google Project Zero
libxpc
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved validation.
CVE-2018-4237: Samuel GroA (@5aelo) working with Trend Micro's Zero
Day Initiative
Magnifier
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
view the last image used in Magnifier from the lockscreen
Description: A permissions issue existed in Magnifier. This was
addressed with additional permission checks.
CVE-2018-4239: an anonymous researcher
Mail
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker may be able to exfiltrate the contents of
S/MIME-encrypted e-mail
Description: An issue existed in the handling of encrypted Mail. This
issue was addressed with improved isolation of MIME in Mail.
CVE-2018-4227: Damian Poddebniak of MA1/4nster University of Applied
Sciences, Christian Dresen of MA1/4nster University of Applied Sciences,
Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster
University of Applied Sciences, Sebastian Schinzel of MA1/4nster
University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj
Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University
Bochum
Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to conduct impersonation attacks
Description: An injection issue was addressed with improved input
validation.
CVE-2018-4235: Anurodh Pokharel of Salesforce.com
Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted message may lead to a denial
of service
Description: This issue was addressed with improved message
validation.
CVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd
CVE-2018-4250: Metehan YA+-lmaz of Sesim Sarpkaya
Safari
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious website may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4247: FranASSois Renaud, Jesse Viviano of Verizon Enterprise
Solutions
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to read a persistent account
identifier
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4223: Abraham Masri (@cheesecakeufo)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Users may be tracked by malicious websites using client
certificates
Description: An issue existed in the handling of S-MIME
certificaties. This issue was addressed with improved validation of
S-MIME certificates.
CVE-2018-4221: Damian Poddebniak of MA1/4nster University of Applied
Sciences, Christian Dresen of MA1/4nster University of Applied Sciences,
Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster
University of Applied Sciences, Sebastian Schinzel of MA1/4nster
University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj
Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University
Bochum
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to read a persistent device
identifier
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4224: Abraham Masri (@cheesecakeufo)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to modify the state of the Keychain
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4225: Abraham Masri (@cheesecakeufo)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to view sensitive user information
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4226: Abraham Masri (@cheesecakeufo)
Siri
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
enable Siri from the lock screen
Description: An issue existed with Siri permissions. This was
addressed with improved permission checking.
CVE-2018-4238: Baljinder Singh, Muhammad khizer javed, Onur Can
BIKMAZ (@CanBkmaz) of Mustafa Kemal University
Siri
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
use Siri to read notifications of content that is set not to be
displayed at the lock screen
Description: An issue existed with Siri permissions. This was
addressed with improved permission checking.
CVE-2018-4252: Hunter Byrnes, Martin Winkelmann (@Winkelmannnn)
Siri Contacts
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker with physical access to a device may be able to
see private contact information
Description: An issue existed with Siri permissions. This was
addressed with improved permission checking.
CVE-2018-4244: an anonymous researcher
UIKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted text file may lead to a
denial of service
Description: A validation issue existed in the handling of text. This
issue was addressed with improved validation of text.
CVE-2018-4198: Hunter Byrnes
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4201: an anonymous researcher
CVE-2018-4218: Natalie Silvanovich of Google Project Zero
CVE-2018-4233: Samuel GroA (@5aelo) working with Trend Micro's Zero
Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2018-4199: Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils
of MWR Labs working with Trend Micro's Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a maliciously crafted website may lead to cookies
being overwritten
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed with improved restrictions.
CVE-2018-4232: an anonymous researcher, Aymeric Chaib
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A race condition was addressed with improved locking.
CVE-2018-4192: Markus Gaasedelen, Nick Burnett, and Patrick Biernat
of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4214: found by OSS-Fuzz
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working
with Trend Micro's Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2018-4246: found by OSS-Fuzz
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a maliciously crafted website may leak sensitive
data
Description: Credentials were unexpectedly sent when fetching CSS
mask images. This was addressed by using a CORS-enabled fetch method.
CVE-2018-4190: Jun Kokatsu (@shhnjk)
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2018-4222: Natalie Silvanovich of Google Project Zero
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 11.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltUshMACgkQ8ecVjteJ
iCbspA//aVxu/EdiaNxNRmRDFB8LpqKa3xjJdfkK9cJRYZ+eBHJZjBfzj4BzABuG
Xow7FkEE7LSQpCeJ08Ggo6vVQUdR4+etQ2UfjQWGX6qIvLZUXK0lw2x5XdTP0q4m
WmNoZcdK3cmbVXGMWUZRUrYPTWwMnTMsPpPoDoptaQRseN+K/0kdwsQZtdqeN9sq
GN3Qp6AW6WR1gUAgDriIyzFXTxJ8NmKx2+4B5O2w0TbmzxGa/F5ZUjw4D/wwJJPA
/RXAwseJMghPfbi9tNcjUhbGFfcnr5JvyGfY2GESFc7odWt2XSpePHr6qaJzogBr
KeJKOVpgTdS4PO37+KDUfQDIElSnYQVTff8Tinxg/Zojafp0PxYkDYRxw7i16YKU
HsB7R0o5Yi5YD4uG5ioMj4RspQDWozzveVvvtah6/bWChQQwD3XHr6JRM6oJ106G
wNx2EHfRRXFQCY680RfE8hN/98IJRrCF6nIdO9zBbzGM/Ihzr02F0qSrdB5/PXSq
S6EwJi0M5ia/KMFSO7EY5qQ2aipyDC3WPkvQrHtpsqstMrktyJOYGbm/t39WmIBb
gC92rxvNFr5mO8Owypu1/tloGr15zIxPGR6OXA/DVxdRm2/UmW1tsqQfKgporJMD
de6uiZJb8p8X36KC7YmHLTApYL3CaZebJIIOmf8tKjQUxxbR9wE=
=nII0
-----END PGP SIGNATURE-----
.
Alternatively, on your watch, select "My Watch > General > About" |
|
var-200904-0811
|
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. Xpdf is an open source viewer for Portable Document Format (PDF) files. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:175
http://www.mandriva.com/security/
_______________________________________________________________________
Package : poppler
Date : November 15, 2011
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple security vulnerabilities has been discovered and corrected
in poppler:
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799). NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603). NOTE: this may overlap CVE-2009-0791
(CVE-2009-3605). NOTE:
some of these details are obtained from third party information
(CVE-2009-3607).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3938
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
783eaf3485f688288f070f1a9f911c4d mes5/i586/libpoppler3-0.8.7-2.5mdvmes5.2.i586.rpm
bd06380ed4b45d450389d1770276dccc mes5/i586/libpoppler-devel-0.8.7-2.5mdvmes5.2.i586.rpm
e1945537640307b76bcad253ebb73854 mes5/i586/libpoppler-glib3-0.8.7-2.5mdvmes5.2.i586.rpm
ff93afd4e687dfb8062360f7f7bfd347 mes5/i586/libpoppler-glib-devel-0.8.7-2.5mdvmes5.2.i586.rpm
7f7c3ea25304806c37306ed4f27335e8 mes5/i586/libpoppler-qt2-0.8.7-2.5mdvmes5.2.i586.rpm
ef9780095457b8efb52e961720c58052 mes5/i586/libpoppler-qt4-3-0.8.7-2.5mdvmes5.2.i586.rpm
d9080de0f92bb36a34ad010fe2ad2a4c mes5/i586/libpoppler-qt4-devel-0.8.7-2.5mdvmes5.2.i586.rpm
3d9d5d68cfdb63ff2668040fb0fd0e93 mes5/i586/libpoppler-qt-devel-0.8.7-2.5mdvmes5.2.i586.rpm
ff2f445d1e3942039c5f9b326c64b5e3 mes5/i586/poppler-0.8.7-2.5mdvmes5.2.i586.rpm
29cce020068d6ca7a651a273f9cf8595 mes5/SRPMS/poppler-0.8.7-2.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
e534d6c09ebffd8e9a4f85cb35e15947 mes5/x86_64/lib64poppler3-0.8.7-2.5mdvmes5.2.x86_64.rpm
d71984d177742a10af4168adae141357 mes5/x86_64/lib64poppler-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
709c2fb028305c6038da922d4385a44b mes5/x86_64/lib64poppler-glib3-0.8.7-2.5mdvmes5.2.x86_64.rpm
46bf6bf33ab672b333d52078b37e3bf0 mes5/x86_64/lib64poppler-glib-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
bed66c55ec459b0a845ea4f0adf69c6f mes5/x86_64/lib64poppler-qt2-0.8.7-2.5mdvmes5.2.x86_64.rpm
bfdb0391cff52b910302f6c272223393 mes5/x86_64/lib64poppler-qt4-3-0.8.7-2.5mdvmes5.2.x86_64.rpm
6b0ec4b64459cdf517499703ebd21532 mes5/x86_64/lib64poppler-qt4-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
3f7f2f03348fa025df99564e5cf15665 mes5/x86_64/lib64poppler-qt-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
01bf66ad02b533cf4b6141058df40b62 mes5/x86_64/poppler-0.8.7-2.5mdvmes5.2.x86_64.rpm
29cce020068d6ca7a651a273f9cf8595 mes5/SRPMS/poppler-0.8.7-2.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOwmCOmqjQ0CJFipgRAkA2AJ4idaGL0tc4rVBtwwiVbl27Em6xZwCgrJjl
ar8t2URRRlYmyIxMC/5cgAM=
=5FhG
-----END PGP SIGNATURE-----
.
Additionally the kdegraphics package was rebuild to make
kdegraphics-kpdf link correctly to the new poppler libraries and are
also provided. (CVE-2009-1183)
Two integer overflow flaws were found in the CUPS pdftops filter. (CVE-2009-3608, CVE-2009-3609)
This update corrects the problems.
Update:
Packages for 2008.0 are being provided due to extended support for
Corporate products.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: October 06, 2013
Bugs: #263028, #290430, #290464, #308017, #338878, #352581,
#459866, #480366
ID: 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Poppler, some of which may
allow execution of arbitrary code.
Background
==========
Poppler is a cross-platform PDF rendering library originally based on
Xpdf.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.22.2-r1 >= 0.22.2-r1
Description
===========
Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.22.2-r1"
References
==========
[ 1 ] CVE-2009-0146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0146
[ 2 ] CVE-2009-0147
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0147
[ 3 ] CVE-2009-0165
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0165
[ 4 ] CVE-2009-0166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0166
[ 5 ] CVE-2009-0195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0195
[ 6 ] CVE-2009-0799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0799
[ 7 ] CVE-2009-0800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0800
[ 8 ] CVE-2009-1179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1179
[ 9 ] CVE-2009-1180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1180
[ 10 ] CVE-2009-1181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1181
[ 11 ] CVE-2009-1182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1182
[ 12 ] CVE-2009-1183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1183
[ 13 ] CVE-2009-1187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1187
[ 14 ] CVE-2009-1188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1188
[ 15 ] CVE-2009-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603
[ 16 ] CVE-2009-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604
[ 17 ] CVE-2009-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3605
[ 18 ] CVE-2009-3606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606
[ 19 ] CVE-2009-3607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3607
[ 20 ] CVE-2009-3608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608
[ 21 ] CVE-2009-3609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609
[ 22 ] CVE-2009-3938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3938
[ 23 ] CVE-2010-3702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3702
[ 24 ] CVE-2010-3703
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3703
[ 25 ] CVE-2010-3704
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3704
[ 26 ] CVE-2010-4653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4653
[ 27 ] CVE-2010-4654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4654
[ 28 ] CVE-2012-2142
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2142
[ 29 ] CVE-2013-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1788
[ 30 ] CVE-2013-1789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1789
[ 31 ] CVE-2013-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1790
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
For the old stable distribution (etch), these problems have been fixed in version
3.01-9.1+etch6.
For the stable distribution (lenny), these problems have been fixed in version
3.02-1.4+lenny1.
For the unstable distribution (sid), these problems will be fixed in a
forthcoming version.
We recommend that you upgrade your xpdf packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.dsc
Size/MD5 checksum: 974 9c04059981f8b036d7e6e39c7f0aeb21
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.diff.gz
Size/MD5 checksum: 46835 c69a67b9ff487403e7c3ff819c6ff734
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
Size/MD5 checksum: 599778 e004c69c7dddef165d768b1362b44268
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 62834 dd8f37161c3b2430cb1cd65c911e9f86
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 1278 d6da8e00b02ab3f17ec44b90fff6bb30
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 920352 83b7d74d9ebae9b26da91de7c91d3502
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 1687294 9862913548fff9bfda37a6fe075df5b0
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 809202 171520d7642019943bfe7166876f5da5
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 1493308 9575f135e9ec312f9e6d7d2517dd8f5b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 803714 6db06ffcba7f6d7576ed356e7989557d
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 1468616 9afde01dda379acd4e7edfbccc7c7b2d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 1773794 c9012a9d3919ec40dcea1264ac27a6fe
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 963060 565daaf6f15ff7593d560ef7a2f94364
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 796992 5270bef04f1c2e924b813dffe6050d89
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 1458826 b2f3cbaac0ffcce0bb8d7e656bf11b02
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 1217142 afeaf9bfc66ebb69767703bfb30bbd4c
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 2218472 6545e9b6f58a84c0daa76baa8a0db629
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 946638 5323268be89e54c5c8eb7ae13f0eab14
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 1721268 0b710c0bcc6ffefe29f683ab09d3cbe8
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 1554798 eadd6236b778761086d436dd8db986e4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 849204 d22f5d59f03d6484e149d7536a25a517
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 1401814 0e3f588c64e8fa9a102ebcae29c4d807
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 767392 4b7c1a868f2f909c2dce25087da77817
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 1394680 8b17e2339e2a908a610271eb678495b1
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 763618 f3897333018702ee926e41ca5f58dc92
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
Size/MD5 checksum: 1266 faeebc4dfc74129ca708a6345bb483f7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02.orig.tar.gz
Size/MD5 checksum: 674912 599dc4cc65a07ee868cf92a667a913d2
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
Size/MD5 checksum: 42280 362f72e95494f51a19eeb898b9a527ac
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 67664 b5f063bf32cbeaf1aaeec315dc8aff0a
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 1268 f67780458dac3c38cd59bfde186f9a3b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1896344 f65f591413c25a23ea2aaccba2b5b634
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1018434 cb679c93bbc428ea852bd4ef3103e42d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 1709514 1e1277251a6dd0bb0a551997efd39175
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 921892 fb7de1db5e3885365c3ad74c3646ab57
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 1667088 58ddefe40598d6fe4a5016145163ef45
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 907908 881594298fe547cefa3d528c519d369f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 886242 51d55f7c4de41c5d4051f41fde9b7389
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 1602392 bc996edfad6d1995cb4ef2f4c7760b51
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1076286 fa3ac4a1001abf3e892bb1397b06ff17
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1985520 e95263d094e2c8d6aa72ee1edb9105f3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 876656 441042932886fa29adae731338f6b5bd
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 1611730 52516381da25dbb0c1145e2b7cdf692a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 1380222 0ffaee560534c9d69df433340679c8fc
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 2519970 eb4f4e5c173557fa8ae713f123cbb193
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1894924 58b336b114ef5c8fb9fc6244411b4cf4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1040834 ae8ed06ea2ed07e3a064c6bd28e80933
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1026954 eac8167230b8fa208cdbc5b196f0c624
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1872050 8f2e99ce5a102d099ba22543f246d5bd
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 1788584 7d1466cc8770bd92f299c1cc772f64e7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 968838 7cc8568d6b74348300066e42b27f90c2
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 871666 1dde93a4cc0a28b90f92c05f0d181079
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 1598270 201ad07e4853843dce22f22daa41fd35
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 863662 446f2d8fe6483d3741648c4db1ff5b82
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 1586262 52861c00f406c35db8a6e6f3269cc37d
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKAJvfYrVLjBFATsMRAvL3AJ48hk1Vsp4ZvDGoQfwOunErKHxElQCfepN+
rFYyqIcPRzz8zBGVGObkTr8=
=xhzW
-----END PGP SIGNATURE-----
|
|
var-200809-0402
|
Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.4.11 and 10.5 through 10.5.4 allows remote attackers to execute arbitrary code via a document containing a crafted font, related to "PostScript font names.". Apple Mac OS X Leopard does not accurately reflect which files and directories are available via sharing. A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system.
The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Nucleus XML-RPC PHP Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA15895
VERIFY ADVISORY:
http://secunia.com/advisories/15895/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Nucleus 3.x
http://secunia.com/product/3699/
DESCRIPTION:
A vulnerability has been reported in Nucleus, which can be exploited
by malicious people to compromise a vulnerable system.
For more information:
SA15852
SOLUTION:
Update to version 3.21.
http://sourceforge.net/project/showfiles.php?group_id=66479
OTHER REFERENCES:
SA15852:
http://secunia.com/advisories/15852/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
|
|
var-200906-0591
|
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564. Apache 'APR-util' is prone to a vulnerability that may allow attackers to cause an affected application to consume memory, resulting in a denial-of-service condition.
Versions prior to 'APR-util' 1.3.7 are vulnerable. Apr-util is the Apache Portable Runtime Toolkit used by Apache. All web services that use the expat wrapper interface of the APR-util library to parse untrusted XML documents are affected by this vulnerability, such as the Apache httpd WebDAV module mod_dav. ===========================================================
Ubuntu Security Notice USN-787-1 June 12, 2009
apache2 vulnerabilities
CVE-2009-0023, CVE-2009-1191, CVE-2009-1195, CVE-2009-1955,
CVE-2009-1956
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apache2-common 2.0.55-4ubuntu2.5
apache2-mpm-perchild 2.0.55-4ubuntu2.5
apache2-mpm-prefork 2.0.55-4ubuntu2.5
apache2-mpm-worker 2.0.55-4ubuntu2.5
libapr0 2.0.55-4ubuntu2.5
Ubuntu 8.04 LTS:
apache2-mpm-event 2.2.8-1ubuntu0.8
apache2-mpm-perchild 2.2.8-1ubuntu0.8
apache2-mpm-prefork 2.2.8-1ubuntu0.8
apache2-mpm-worker 2.2.8-1ubuntu0.8
apache2.2-common 2.2.8-1ubuntu0.8
Ubuntu 8.10:
apache2-mpm-event 2.2.9-7ubuntu3.1
apache2-mpm-prefork 2.2.9-7ubuntu3.1
apache2-mpm-worker 2.2.9-7ubuntu3.1
apache2.2-common 2.2.9-7ubuntu3.1
Ubuntu 9.04:
apache2-mpm-event 2.2.11-2ubuntu2.1
apache2-mpm-prefork 2.2.11-2ubuntu2.1
apache2-mpm-worker 2.2.11-2ubuntu2.1
apache2.2-common 2.2.11-2ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Matthew Palmer discovered an underflow flaw in apr-util as included in
Apache. An attacker could cause a denial of service via application crash
in Apache using a crafted SVNMasterURI directive, .htaccess file, or when
using mod_apreq2. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-0023)
Sander de Boer discovered that mod_proxy_ajp would reuse connections when
a client closed a connection without sending a request body. A remote
attacker could exploit this to obtain sensitive response data. This issue
only affected Ubuntu 9.04. (CVE-2009-1191)
Jonathan Peatfield discovered that Apache did not process Includes options
correctly. With certain configurations of Options and AllowOverride, a
local attacker could use an .htaccess file to override intended
restrictions and execute arbitrary code via a Server-Side-Include file.
This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04. (CVE-2009-1195)
It was discovered that the XML parser did not properly handle entity
expansion. This issue only affected Ubuntu
6.06 LTS. (CVE-2009-1955)
C. Michael Pilato discovered an off-by-one buffer overflow in apr-util when
formatting certain strings. For big-endian machines (powerpc, hppa and
sparc in Ubuntu), a remote attacker could cause a denial of service or
information disclosure leak. All other architectures for Ubuntu are not
considered to be at risk. This issue only affected Ubuntu 6.06 LTS.
(CVE-2009-1956)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.5.diff.gz
Size/MD5: 123724 00519250c6506489a6c39936925e568e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.5.dsc
Size/MD5: 1156 20f5954982f1615b73eb8d180069a55e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.5_all.deb
Size/MD5: 2125174 6ee0433b3d2fbf33c6514599bcfe047b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 833636 0e14aa964bbfd817e44d0c6517bb0d03
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 228830 db8dee716fa4906b74138b6efbb8f52a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 223844 4277481db3a7217319f1fb4bc9a9df5b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 228456 d4e86af7ea2751f782c9f81504c899e9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 171972 16352ec1565ada8204deb4d4aa7e460d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 172750 3e8ad9cc35d7a6b8a97d320610c79024
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 94816 f251b0a95e6554c4d6e686b5a6f9132f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 36864 7d4f1abc24314c8f1682d0bc5a727882
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 286326 240a6f25212bacab7cef3af8218ef235
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.5_amd64.deb
Size/MD5: 144886 20ce4e07cf33f50c279aa57876da241d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 786858 9086ee9622bf2f6299d521751b7984cc
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 203506 903fda93a0084cbeb163c06823a2424c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 199358 ab3b3082cdd4537004f92f0cf9d67331
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 202902 69f2874396cc0895e05b369f9806e34c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 171980 2eca5344df9c14e289ea045633d33439
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 172750 46fc5dc35f23b087f1438f88b1a0d082
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 92760 065675c9336669192e09604adbec77d1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 36866 c95b2e1cd3b70a2714c6a1a12a780038
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 262324 e3598aad5a3be422319e509b1fc17386
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.5_i386.deb
Size/MD5: 132808 c36dc81bbc044508961082c730659356
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 859676 46bd81028dcf7be9e41770dd11af37ae
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 220862 b1f08076334f064ca0bd69dd599aa59d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 216506 57bd719b0a500747320db3c77350a97e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 220360 8451b10349e241687954b916a31e9680
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 171978 37abe43c6f3bb7ff514ec55b7b23c2c7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 172754 c2b337ff66a86c0ad67a02667e63618a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 104538 1d91ed96d5f569ad59f07767dc7aadbe
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 36866 605992b543ab267be7fff50c028b96eb
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 281870 40933a88468e6a97a06828e24a430ad5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.5_powerpc.deb
Size/MD5: 141986 ad0ee1e4188fa56dfc23d217b31b9e4a
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 803992 df7406ce6b8c2037e17eab5aba1fd947
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 211278 8c29e978a758d2a885048bc8e8529be7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 206812 9f549366fdc0481d40bc6123ddbb3d91
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 210522 27dadfb40c60d99aa5570daaa05f5ba6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 171976 aa9dd20fbb4eea6a4e0e0fa20538dad7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 172756 480182b02dc98f8e86119452cf4dc031
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 93858 6f000d7b9a0f48de4e22a39f42e53fe8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 36864 246e286fdb3f71b2b92c7cd783628dad
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 268458 1c29830b1e623ff497ad20240861dc42
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.5_sparc.deb
Size/MD5: 130780 46fbba05af3cdc1f39e73c2cca8716e1
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.8.diff.gz
Size/MD5: 135718 b67b9e9cab0d958b01bf47433fcb299f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.8.dsc
Size/MD5: 1379 5f83de71908712e7fa37c517c6b9daf0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz
Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.8_all.deb
Size/MD5: 1928684 ccf0bbc4560b1d63f86681c5f91d38a5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.8_all.deb
Size/MD5: 72322 ffe7242eb5807cb4faf04af195824773
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.8_all.deb
Size/MD5: 6254304 8dae450a6d4f8b948ae02dc3a165ad99
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.8_all.deb
Size/MD5: 45252 0f62ab2a6205b27126c6c30ce0e8cc9d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.8_amd64.deb
Size/MD5: 252474 661f84e26a417adb6fb293cda4170146
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.8_amd64.deb
Size/MD5: 248086 3196e11d84f523ef5e3409171eda56cf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.8_amd64.deb
Size/MD5: 251832 ab128185607a1812fae9b7da809c5471
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.8_amd64.deb
Size/MD5: 204994 5ce24738c1785a6ba05dd3e86337b1b3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.8_amd64.deb
Size/MD5: 205770 e8a688cfd6b67367c66c8ff0f2227e30
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.8_amd64.deb
Size/MD5: 141084 da5c7a4aba57d0088a0122d81bbff9ad
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.8_amd64.deb
Size/MD5: 801788 0359700bb1d80e0e3a6fc1d8efe74d02
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.8_i386.deb
Size/MD5: 235446 0a61cd153337e09a91482b781fbf108e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.8_i386.deb
Size/MD5: 230978 c5a4a358ddfdba46ba19f8758614e85b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.8_i386.deb
Size/MD5: 234696 9a90bad413d4d46316f328776a2d950a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.8_i386.deb
Size/MD5: 205002 4cdf06a62da153d9b7d2cd6772a00c76
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.8_i386.deb
Size/MD5: 205766 36ee4a8ad7a8de250676d00aa02f9195
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.8_i386.deb
Size/MD5: 140046 a1adc8e4bdbf11a7c0856ecfbb333e08
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.8_i386.deb
Size/MD5: 754798 afea0689b2508b4d5bc5c41e19019eb0
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.8_lpia.deb
Size/MD5: 234958 4f05df526ebd1e4ab2b909b7e041e4c1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.8_lpia.deb
Size/MD5: 230616 ff72890c7622b3a291789006aa2099b4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.8_lpia.deb
Size/MD5: 234102 16fb9ac5b25ed2cc19729cfc48ad6014
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.8_lpia.deb
Size/MD5: 204996 d8888829d11f62961a01fec4c0919403
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.8_lpia.deb
Size/MD5: 205770 1c73843afed774da460e39b79ab332a7
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.8_lpia.deb
Size/MD5: 140622 b1537a8a7a01aea78b0a67ba5ab6f84d
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.8_lpia.deb
Size/MD5: 748640 e2fc6fe941ec7a2238e57004816d3bb1
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.8_powerpc.deb
Size/MD5: 253568 1d84c15e686047e1eebd6812da6adcd9
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.8_powerpc.deb
Size/MD5: 248958 9e418948b0c7fed12e70e9ee07f193dc
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.8_powerpc.deb
Size/MD5: 253052 e070abbfc3cd142234a30688320e5dbc
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.8_powerpc.deb
Size/MD5: 205000 25018ddf577a7e66655b79775d67eb50
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.8_powerpc.deb
Size/MD5: 205782 9e78cbd7348964b8ab831e0482d3e41b
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.8_powerpc.deb
Size/MD5: 157810 4b7d728303d38b057b043e96ee3ab7aa
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.8_powerpc.deb
Size/MD5: 904910 359c25a1948ac2728e445082e60a7b44
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.8_sparc.deb
Size/MD5: 236684 330ec61baee83347b37132f646264596
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.8_sparc.deb
Size/MD5: 232578 11681fc7d5013b55d2e3f4e500797726
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.8_sparc.deb
Size/MD5: 235912 cc331eab50a4ede19d0f88fd4fc0d00d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.8_sparc.deb
Size/MD5: 204994 8b3d7bd0db0db66235a4f06f257108bf
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.8_sparc.deb
Size/MD5: 205762 134ff600abb6954b657a2fe8f9e5fa00
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.8_sparc.deb
Size/MD5: 143256 90b0f6e9362aa3866e412a98e255b086
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.8_sparc.deb
Size/MD5: 763970 c6bc1c87855dcc1e72a438a791d6952e
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.1.diff.gz
Size/MD5: 130909 ed59ca0fc5288b93fa2cb04af9aa2b7d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.1.dsc
Size/MD5: 1788 f80e4b56abc6bfc56125fc78aebab185
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9.orig.tar.gz
Size/MD5: 6396996 80d3754fc278338033296f0d41ef2c04
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.9-7ubuntu3.1_all.deb
Size/MD5: 2041562 05e984048a661ec86fe5051cab223b33
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.9-7ubuntu3.1_all.deb
Size/MD5: 6537296 e9f14f43d75ec050e3d70cac84ba318f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.1_all.deb
Size/MD5: 45016 f63b7b86981f837f780ae1a821c4b43d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 254484 0e095f99d2e0e3ba925fff298a6f57f2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 248678 88d8afa20352f18c8e5d810c6e474c97
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 253868 7ccad99f2fc89e63a394d4ad95335082
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 208050 187e0b01d15af23717d0d26771023c60
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 84018 9f56eeec1f836774e7e91f3cdfbf3ee5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 82380 9085526c648b9d8656a2b7d2c7326655
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 209104 dcac98c57f63870120667d613939bbb0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 147294 a6d9883304675907594ed1aab442d81a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.1_amd64.deb
Size/MD5: 819450 a8562063da879ed20251894bd1e0746e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 240916 d05183c57521d23cf2281e2d9589c8c3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 235528 b4908cd5d4b70f8ede12cf7b6e103223
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 240188 63c83e128a121c7c9c188b02eb59edcb
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 208056 01f550eb1d15495d5d896d522ade4396
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 83470 97a20ccf92b43e4b32d182a128b22072
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 81868 4f3ef154558c65db2daf74f940779760
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 209110 b291e921de088d2efabf33e4cd35c99e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 146130 6ea24f8ff6bd7a5921c575b402bc2d32
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.1_i386.deb
Size/MD5: 777780 e598efbc86f7a1d7e9675deb6a237e4c
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 237796 38656143c16829748990fe35c2618b95
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 232460 9e20d4fb43009cba2133ecb7d0fe5684
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 237088 2ca48410f10f3e9b800e1c131edc8192
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 208070 02f11c5c6874f97a7e737030cd22d333
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 83412 fb1c3db7a5c0a6c25d842600e7166584
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 81840 43514a92cf231cb8e57a21448b4183df
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 209122 7fd0dd58cbc286cf730fd7e3be8e5329
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 145818 92e9731915cc84e775fd303142186bad
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.1_lpia.deb
Size/MD5: 765882 179c476b74f6d593dde3a53febb5684e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 261012 4706fe724bc8469e9693983b6e5cb542
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 255554 70580bb638d16932a6376e8e593f012a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 260364 1703559523a2765da24f8cb748992345
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 208078 f538ef7ed95defc239ecc498b898efaa
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 84104 5f127b51e775dfe285eb8d5c448ff752
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 82462 960f91f842e5fc0eea867a14290334bc
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 209116 13c8662a31d5fdef85ca3ac3637a8689
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 160562 4734c80d99389ab39d553aee59fa6ff7
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.1_powerpc.deb
Size/MD5: 925502 4400f5d7e9411b679249a34551d34b83
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 246136 2132add596f6b3cde962f2f0d7fc31ad
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 240772 0e3e5f9de7a877c3dfe0a9b8167a6c53
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 245500 e7f1c5af7f735a3f10b3be90df71fc0e
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 208076 ec4d3e98ca11376db2b9d8fd6d884b60
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 83642 2b61d89fe5f802d75289ceb000d5725b
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 82022 07d39ee448a55ebcfe25194bfff62929
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 209124 2c3a8b2f2a2863350baec615cf5e3643
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 150470 ab783bdd5be74dd06e791aba78113be0
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.1_sparc.deb
Size/MD5: 783186 bdfe2bc8f54cb65d38cb96038ceddb09
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.1.diff.gz
Size/MD5: 134781 129b768f9b402dbab2177edc6cffc1b4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.1.dsc
Size/MD5: 1795 f6124369956b88a09f1786687e187af8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11.orig.tar.gz
Size/MD5: 6806786 03e0a99a5de0f3f568a0087fb9993af9
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.11-2ubuntu2.1_all.deb
Size/MD5: 2218488 ab645fa9c67940ee29934317f2383bec
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.1_all.deb
Size/MD5: 46084 7be24aa4d43f4d55e36e95e831e04fcb
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-src_2.2.11-2ubuntu2.1_all.deb
Size/MD5: 6945842 a0742af1b44b20a35c24cca56a0b59a0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 258410 de4fb0f20ec133b06d7464a9ea80866d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 252600 96fc657175db7e0958b2aff2884787ce
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 257804 d7089118239d000dbc68ab95bfd271dd
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 212740 7fd9950428d290b6b3aee7278b20801b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 213712 67b090ab9856a9812df4b8b8ef66dccb
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 150594 58993a2d2fae87fafecfab2bdc06b521
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 824406 af48b8490ac13329fd761d279d16b22b
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 87250 6ef1e665dab19ae16a0a3a8d8b441f52
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.1_amd64.deb
Size/MD5: 85530 a104eeb1d1114e57ad91f3f646ff8e2d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 244922 1fff6a156eb80ae9edf1965b205215d3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 239444 a61af2e80ff7a7d397478396968efa7a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 244292 a80eae6d7f5c060cfa12950759433a4f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 212748 684eac3801bf1650ca4662cc354ef95e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 213718 d9c889bad26894b386934ca35a1e1379
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 149484 755cb6034670192a724407b37e7cb355
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 783390 b6fa516c19bb6d82776347dd3e940094
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 86630 d20a788cb4ac4eb1315ef0739e015214
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.1_i386.deb
Size/MD5: 85030 96d33de27e43def58d919d6cf9660d68
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 241826 7f57b43f10b1c3c9ed8936c1fce4b13c
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 236352 bb836a54002a4245cae4c26f24b9f7c0
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 241204 6b7073a4e777394416240b7da64d4036
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 212724 abfa6f5688aacdb6ceab53d14bf93f0e
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 213702 fdd3ddcf889bc8cbe5625e3dd8959bff
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 149198 e6eae8fa571b6bf17b98aeb232d22e4d
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 772602 612374c962f685533d55e821f2748828
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 86576 13c229e63eb2011c9a74f1eaea7bacb6
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.1_lpia.deb
Size/MD5: 84988 e70529926eb88e73ee1f7f06f73ef414
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 265034 8244078723fb247d4cddfd0376374b8d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 259822 a81eb991f88dbb4cb6b374ea6315f0ba
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 264502 512f211e4bc233c8351b620fb9e27fa4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 212754 f284e4114d049c15632ac08ddc6ddc2d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 213728 c8caee451ecefb8d856412ebcaaff627
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 163892 c7b9a87427478a72be106c8de950de13
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 931558 3280b97e8ab35c15b6b9f0192c60895b
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 87326 da229fa04d2536679c0cdd7a4447929b
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.1_powerpc.deb
Size/MD5: 85592 72dd8fe34d798e65b77bcb5b3e40122d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 250148 f903b1decc466013c618579f36e30ec4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 244470 66c2b05cf6585a40346c341d1b3ba3b2
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 249532 50f65920d24048ba1e7444d7bf42e9bd
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 212752 100150fe2cc4ffeb96b41965995493bd
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 213718 16c269440c2cba44360cd49c89463ece
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 153740 8531a5268c9ead29583a2102f1ee929b
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 788532 415364037e428a8d1dcf3565fefced36
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 86830 662ac6195c360fbf5416f9fbefde46ac
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.1_sparc.deb
Size/MD5: 85124 585acf45b85fe68308c459076f7d6d93
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02579879
Version: 1
HPSBUX02612 SSRT100345 rev.1 - HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-12-07
Last Updated: 2010-12-06
------------------------------------------------------------------------------
Potential Security Impact: Local information disclosure, increase of privilege, remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache-based Web Server. These vulnerabilities could be exploited locally to disclose information, increase privilege or remotely create a Denial of Service (DoS).
References: CVE-2010-1452, CVE-2009-1956, CVE-2009-1955, CVE-2009-1891, CVE-2009-1890, CVE-2009-1195, CVE-2009-0023, CVE-2007-6203, CVE-2006-3918
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23 and B.11.31 running Apache-based Web Server prior to v2.0.63.01
Note: HP-UX Apache-based Web Server v2.0.63.01 is contained in HP-UX Web Server Suite v.2.32
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-1452 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2009-1956 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4
CVE-2009-1955 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
CVE-2009-1891 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2009-1890 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2009-1195 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2009-0023 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2007-6203 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2006-3918 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software updates to resolve the vulnerabilities.
The updates are available for download from http://software.hp.com
Note: HP-UX Web Server Suite v.2.32 contains HP-UX Apache-based Web Server v2.0.63.01
Web Server Suite Version / Apache Depot name
HP-UX Web Server Suite v.2.32
HP-UX 11i PA-RISC with IPv6
HP-UX 11i version 2 PA-RISC/IPF 64-bit
HP-UX 11i version 2 PA-RISC/IPF 32-bit
HP-UX 11i version 3 PA-RISC/IPF 64-bit
HP-UX 11i version 3 PA-RISC/IPF 32-bit
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server v2.0.63.01 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX Web Server Suite v2.32
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.63.01 or subsequent
HP-UX B.11.23
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.63.01 or subsequent
HP-UX B.11.31
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.63.01 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 7 December 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkz+xL4ACgkQ4B86/C0qfVmhiwCg8wrmupoKQCwiB89Wb3dQtBUe
o2EAoOcrw8fBt6Tx5ep61P+YjJaHV+ZU
=fFig
-----END PGP SIGNATURE-----
.
NOTE: some of these details are obtained from third party information
(CVE-2009-2412). (CVE-2009-0023).
Packages for 2008.0 are being provided due to extended support for
Corporate products.
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
d55d5dd456de0c7977f93bff217406d7 2008.0/i586/apr-util-dbd-mysql-1.2.10-1.1mdv2008.0.i586.rpm
bd02eb2233dcc07aadd7e5eb84df9ce8 2008.0/i586/apr-util-dbd-pgsql-1.2.10-1.1mdv2008.0.i586.rpm
334e127fb8ac03379c8a5f2ee7c144b6 2008.0/i586/apr-util-dbd-sqlite3-1.2.10-1.1mdv2008.0.i586.rpm
4307983fb3d21ab0f9955711e116f92e 2008.0/i586/libapr1-1.2.11-1.1mdv2008.0.i586.rpm
ff24f1e1587f2210346ea134d4a2053e 2008.0/i586/libapr-devel-1.2.11-1.1mdv2008.0.i586.rpm
3d50a85109e011ced9e36f1565e9bc69 2008.0/i586/libapr-util1-1.2.10-1.1mdv2008.0.i586.rpm
b786e2329fc63d459b841bf001261543 2008.0/i586/libapr-util-devel-1.2.10-1.1mdv2008.0.i586.rpm
6ef7669ea3d0db3dbaed35f35ae2dbdc 2008.0/SRPMS/apr-1.2.11-1.1mdv2008.0.src.rpm
1a923fc9c2f912ef339b942a59bff4e6 2008.0/SRPMS/apr-util-1.2.10-1.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
91588bbcf3940cd106b0fe458be6d4b9 2008.0/x86_64/apr-util-dbd-mysql-1.2.10-1.1mdv2008.0.x86_64.rpm
b71d8b14cc536cf8a2448b353d2b4047 2008.0/x86_64/apr-util-dbd-pgsql-1.2.10-1.1mdv2008.0.x86_64.rpm
10b889bb625dbae01711ed7e8e101744 2008.0/x86_64/apr-util-dbd-sqlite3-1.2.10-1.1mdv2008.0.x86_64.rpm
068334fc392c68f9b29e629dd3776f83 2008.0/x86_64/lib64apr1-1.2.11-1.1mdv2008.0.x86_64.rpm
a9ed011d8b421e8604e66a87a4972477 2008.0/x86_64/lib64apr-devel-1.2.11-1.1mdv2008.0.x86_64.rpm
c08da53c4c88464249f46c6577f3c2a8 2008.0/x86_64/lib64apr-util1-1.2.10-1.1mdv2008.0.x86_64.rpm
4b1b86a3e07f4b87a1a53f0dbaaa3aff 2008.0/x86_64/lib64apr-util-devel-1.2.10-1.1mdv2008.0.x86_64.rpm
6ef7669ea3d0db3dbaed35f35ae2dbdc 2008.0/SRPMS/apr-1.2.11-1.1mdv2008.0.src.rpm
1a923fc9c2f912ef339b942a59bff4e6 2008.0/SRPMS/apr-util-1.2.10-1.1mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLGEWRmqjQ0CJFipgRAsWiAJ9LbNZNAkUIxWbq84aERpTacFEJPACg0xgy
wuYdtSQeV/bOOP7w17qo2V0=
=V8dA
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Applications using libapreq2 are also affected. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200907-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: APR Utility Library: Multiple vulnerabilities
Date: July 04, 2009
Bugs: #268643, #272260, #274193
ID: 200907-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in the Apache Portable Runtime Utility Library
might enable remote attackers to cause a Denial of Service or disclose
sensitive information.
Background
==========
The Apache Portable Runtime Utility Library (aka apr-util) provides an
interface to functionality such as XML parsing, string matching and
databases connections.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/apr-util < 1.3.7 >= 1.3.7
Description
===========
Multiple vulnerabilities have been discovered in the APR Utility
Library:
* Matthew Palmer reported a heap-based buffer underflow while
compiling search patterns in the apr_strmatch_precompile() function
in strmatch/apr_strmatch.c (CVE-2009-0023). Michael Pilato reported an off-by-one error in the
apr_brigade_vprintf() function in buckets/apr_brigade.c
(CVE-2009-1956). NOTE:
Only big-endian architectures such as PPC and HPPA are affected by the
latter flaw.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Apache Portable Runtime Utility Library users should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.7"
References
==========
[ 1 ] CVE-2009-0023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
[ 2 ] CVE-2009-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
[ 3 ] CVE-2009-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200907-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
|
|
var-200806-0425
|
Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as distributed in Mac OS X before 10.5.4, and standalone for Windows and Mac OS X 10.4, allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors involving JavaScript arrays that trigger memory corruption. The Apple Webkit contains a memory corruption vulnerability.This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. Apple Safari WebKit is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks when handling user-supplied input. Failed exploit attempts will result in a denial-of-service condition. Safari is the web browser bundled by default in the Apple family operating system. Safari's WebKit has a buffer overflow vulnerability when processing JavaScript arrays. If the user is tricked into visiting a malicious site, this overflow can be triggered, resulting in denial of service or execution of arbitrary instructions.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
phpPgAds XML-RPC PHP Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA15884
VERIFY ADVISORY:
http://secunia.com/advisories/15884/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
phpPgAds 2.x
http://secunia.com/product/4577/
DESCRIPTION:
A vulnerability has been reported in phpPgAds, which can be exploited
by malicious people to compromise a vulnerable system.
For more information:
SA15852
SOLUTION:
Update to version 2.0.5.
http://sourceforge.net/project/showfiles.php?group_id=36679
OTHER REFERENCES:
SA15852:
http://secunia.com/advisories/15852/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
|
|
var-201411-0410
|
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. Both Haxx curl and libcurl are products of the Swedish company Haxx. libcurl is a free, open source client-side URL transfer library. ============================================================================
Ubuntu Security Notice USN-2346-1
September 15, 2014
curl vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in curl. (CVE-2014-3620)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libcurl3 7.35.0-1ubuntu2.1
libcurl3-gnutls 7.35.0-1ubuntu2.1
libcurl3-nss 7.35.0-1ubuntu2.1
Ubuntu 12.04 LTS:
libcurl3 7.22.0-3ubuntu4.10
libcurl3-gnutls 7.22.0-3ubuntu4.10
libcurl3-nss 7.22.0-3ubuntu4.10
Ubuntu 10.04 LTS:
libcurl3 7.19.7-1ubuntu1.9
libcurl3-gnutls 7.19.7-1ubuntu1.9
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution.
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.20. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6. These were addressed by updating Python to version
2.7.10.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
.
libcurl can in some circumstances re-use the wrong connection when
asked to do transfers using other protocols than HTTP and FTP, causing
a transfer that was initiated by an application to wrongfully re-use
an existing connection to the same server that was authenticated
using different credentials (CVE-2014-0138).
libcurl incorrectly validates wildcard SSL certificates containing
literal IP addresses, so under certain conditions, it would allow
and use a wildcard match specified in the CN field, allowing a
malicious server to participate in a MITM attack or just fool users
into believing that it is a legitimate site (CVE-2014-0139). For this problem to trigger, the client application must use
the numerical IP address in the URL to access the site (CVE-2014-3613).
Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL has a bug that can lead to libcurl eventually sending off
sensitive data that was not intended for sending, while performing
a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and
curl_easy_duphandle() to be used in that order, and then the duplicate
handle must be used to perform the HTTP POST. If the given URL
contains line feeds and carriage returns those will be sent along to
the proxy too, which allows the program to for example send a separate
HTTP request injected embedded in the URL (CVE-2014-8150).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150
http://advisories.mageia.org/MGASA-2014-0153.html
http://advisories.mageia.org/MGASA-2014-0385.html
http://advisories.mageia.org/MGASA-2014-0444.html
http://advisories.mageia.org/MGASA-2015-0020.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
498d59be3a6a4ace215c0d98fb4abede mbs2/x86_64/curl-7.34.0-3.1.mbs2.x86_64.rpm
75a821b73a75ca34f1747a0f7479267f mbs2/x86_64/curl-examples-7.34.0-3.1.mbs2.noarch.rpm
f5d3aad5f0fd9db68b87c648aaabbb4a mbs2/x86_64/lib64curl4-7.34.0-3.1.mbs2.x86_64.rpm
4f356a2c97f9f64124b4e8ebe307826a mbs2/x86_64/lib64curl-devel-7.34.0-3.1.mbs2.x86_64.rpm
d010a357d76a8eb967c7c52f92fb35ae mbs2/SRPMS/curl-7.34.0-3.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: curl security, bug fix, and enhancement update
Advisory ID: RHSA-2015:1254-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1254.html
Issue date: 2015-07-22
Updated on: 2014-12-15
CVE Names: CVE-2014-3613 CVE-2014-3707 CVE-2014-8150
CVE-2015-3143 CVE-2015-3148
=====================================================================
1. Summary:
Updated curl packages that fix multiple security issues, several bugs, and
add two enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
3. Description:
The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP.
It was found that the libcurl library did not correctly handle partial
literal IP addresses when parsing received HTTP cookies. An attacker able
to trick a user into connecting to a malicious server could use this flaw
to set the user's cookie to a crafted domain, making other cookie-related
issues easier to exploit. (CVE-2014-3613)
A flaw was found in the way the libcurl library performed the duplication
of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS
option for a handle, using the handle's duplicate could cause the
application to crash or disclose a portion of its memory. (CVE-2014-3707)
It was discovered that the libcurl library failed to properly handle URLs
with embedded end-of-line characters. An attacker able to make an
application using libcurl to access a specially crafted URL via an HTTP
proxy could use this flaw to inject additional headers to the request or
construct additional requests. (CVE-2014-8150)
It was discovered that libcurl implemented aspects of the NTLM and
Negotatiate authentication incorrectly. If an application uses libcurl
and the affected mechanisms in a specifc way, certain requests to a
previously NTLM-authenticated server could appears as sent by the wrong
authenticated user. Additionally, the initial set of credentials for HTTP
Negotiate-authenticated requests could be reused in subsequent requests,
although a different set of credentials was specified. (CVE-2015-3143,
CVE-2015-3148)
Red Hat would like to thank the cURL project for reporting these issues.
Bug fixes:
* An out-of-protocol fallback to SSL version 3.0 (SSLv3.0) was available
with libcurl. Attackers could abuse the fallback to force downgrade of the
SSL version. The fallback has been removed from libcurl. Users requiring
this functionality can explicitly enable SSLv3.0 through the libcurl API.
(BZ#1154059)
* A single upload transfer through the FILE protocol opened the destination
file twice. If the inotify kernel subsystem monitored the file, two events
were produced unnecessarily. The file is now opened only once per upload.
(BZ#883002)
* Utilities using libcurl for SCP/SFTP transfers could terminate
unexpectedly when the system was running in FIPS mode. (BZ#1008178)
* Using the "--retry" option with the curl utility could cause curl to
terminate unexpectedly with a segmentation fault. Now, adding "--retry" no
longer causes curl to crash. (BZ#1009455)
* The "curl --trace-time" command did not use the correct local time when
printing timestamps. Now, "curl --trace-time" works as expected.
(BZ#1120196)
* The valgrind utility could report dynamically allocated memory leaks on
curl exit. Now, curl performs a global shutdown of the NetScape Portable
Runtime (NSPR) library on exit, and valgrind no longer reports the memory
leaks. (BZ#1146528)
* Previously, libcurl returned an incorrect value of the
CURLINFO_HEADER_SIZE field when a proxy server appended its own headers to
the HTTP response. Now, the returned value is valid. (BZ#1161163)
Enhancements:
* The "--tlsv1.0", "--tlsv1.1", and "--tlsv1.2" options are available for
specifying the minor version of the TLS protocol to be negotiated by NSS.
The "--tlsv1" option now negotiates the highest version of the TLS protocol
supported by both the client and the server. (BZ#1012136)
* It is now possible to explicitly enable or disable the ECC and the new
AES cipher suites to be used for TLS. (BZ#1058767, BZ#1156422)
All curl users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
835898 - Bug in DNS cache causes connections until restart of libcurl-using processes
883002 - curl used with file:// protocol opens and closes a destination file twice
997185 - sendrecv.c example incorrect type for sockfd
1008178 - curl scp download fails in fips mode
1011083 - CA certificate cannot be specified by nickname [documentation bug]
1011101 - manpage typos found using aspell
1058767 - curl does not support ECDSA certificates
1104160 - Link in curl man page is wrong
1136154 - CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain
1154059 - curl: Disable out-of-protocol fallback to SSL 3.0
1154747 - NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
1154941 - CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS
1156422 - curl does not allow explicit control of DHE ciphers
1161163 - Response headers added by proxy servers missing in CURLINFO_HEADER_SIZE
1168137 - curl closes connection after HEAD request fails
1178692 - CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn()
1213306 - CVE-2015-3143 curl: re-using authenticated connection when unauthenticated
1213351 - CVE-2015-3148 curl: Negotiate not treated as connection-oriented
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
curl-7.19.7-46.el6.src.rpm
i386:
curl-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.i686.rpm
libcurl-7.19.7-46.el6.i686.rpm
x86_64:
curl-7.19.7-46.el6.x86_64.rpm
curl-debuginfo-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.x86_64.rpm
libcurl-7.19.7-46.el6.i686.rpm
libcurl-7.19.7-46.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
curl-debuginfo-7.19.7-46.el6.i686.rpm
libcurl-devel-7.19.7-46.el6.i686.rpm
x86_64:
curl-debuginfo-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.x86_64.rpm
libcurl-devel-7.19.7-46.el6.i686.rpm
libcurl-devel-7.19.7-46.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
curl-7.19.7-46.el6.src.rpm
x86_64:
curl-7.19.7-46.el6.x86_64.rpm
curl-debuginfo-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.x86_64.rpm
libcurl-7.19.7-46.el6.i686.rpm
libcurl-7.19.7-46.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
curl-debuginfo-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.x86_64.rpm
libcurl-devel-7.19.7-46.el6.i686.rpm
libcurl-devel-7.19.7-46.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
curl-7.19.7-46.el6.src.rpm
i386:
curl-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.i686.rpm
libcurl-7.19.7-46.el6.i686.rpm
libcurl-devel-7.19.7-46.el6.i686.rpm
ppc64:
curl-7.19.7-46.el6.ppc64.rpm
curl-debuginfo-7.19.7-46.el6.ppc.rpm
curl-debuginfo-7.19.7-46.el6.ppc64.rpm
libcurl-7.19.7-46.el6.ppc.rpm
libcurl-7.19.7-46.el6.ppc64.rpm
libcurl-devel-7.19.7-46.el6.ppc.rpm
libcurl-devel-7.19.7-46.el6.ppc64.rpm
s390x:
curl-7.19.7-46.el6.s390x.rpm
curl-debuginfo-7.19.7-46.el6.s390.rpm
curl-debuginfo-7.19.7-46.el6.s390x.rpm
libcurl-7.19.7-46.el6.s390.rpm
libcurl-7.19.7-46.el6.s390x.rpm
libcurl-devel-7.19.7-46.el6.s390.rpm
libcurl-devel-7.19.7-46.el6.s390x.rpm
x86_64:
curl-7.19.7-46.el6.x86_64.rpm
curl-debuginfo-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.x86_64.rpm
libcurl-7.19.7-46.el6.i686.rpm
libcurl-7.19.7-46.el6.x86_64.rpm
libcurl-devel-7.19.7-46.el6.i686.rpm
libcurl-devel-7.19.7-46.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
curl-7.19.7-46.el6.src.rpm
i386:
curl-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.i686.rpm
libcurl-7.19.7-46.el6.i686.rpm
libcurl-devel-7.19.7-46.el6.i686.rpm
x86_64:
curl-7.19.7-46.el6.x86_64.rpm
curl-debuginfo-7.19.7-46.el6.i686.rpm
curl-debuginfo-7.19.7-46.el6.x86_64.rpm
libcurl-7.19.7-46.el6.i686.rpm
libcurl-7.19.7-46.el6.x86_64.rpm
libcurl-devel-7.19.7-46.el6.i686.rpm
libcurl-devel-7.19.7-46.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-3613
https://access.redhat.com/security/cve/CVE-2014-3707
https://access.redhat.com/security/cve/CVE-2014-8150
https://access.redhat.com/security/cve/CVE-2015-3143
https://access.redhat.com/security/cve/CVE-2015-3148
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVrzSJXlSAg2UNWIIRAnEiAJ9xqOogsAzooomZ4VeMgA+gUwEuTwCfTzMn
emWApg/iYw5vIs3rWoqmU7A=
=p+Xb
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
For the stable distribution (wheezy), these problems have been fixed in
version 7.26.0-1+wheezy10.
For the testing distribution (jessie), these problems have been fixed in
version 7.38.0-1.
For the unstable distribution (sid), these problems have been fixed in
version 7.38.0-1.
We recommend that you upgrade your curl packages |
|
var-201912-0635
|
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Arbitrary code execution * Insufficient access restrictions * information leak * Service operation interruption (DoS) * Information falsification * Privilege escalation * Sandbox avoidance. WebKit is prone to the following security vulnerabilities:
1. Multiple cross-site scripting vulnerabilities
2. Multiple memory-corruption vulnerabilities
Attackers can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or execute arbitrary code and perform unauthorized actions; Failed exploit attempts will result in denial-of-service conditions. Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. A memory corruption vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple iOS prior to 12.4; Windows-based iTunes prior to 12.9.6; tvOS prior to 12.4; Safari prior to 12.1.2; Windows-based iCloud prior to 10.6 and prior to 7.13; macOS Versions prior to Mojave 10.14.6. WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded. (CVE-2019-6237)
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge. (CVE-2019-8601)
An out-of-bounds read was addressed with improved input validation. (CVE-2019-8644)
A logic issue existed in the handling of synchronous page loads. (CVE-2019-8689)
A logic issue existed in the handling of document loads. (CVE-2019-8719)
This fixes a remote code execution in webkitgtk4. No further details are available in NIST. This issue is fixed in watchOS 6.1. This issue is fixed in watchOS 6.1. This issue is fixed in watchOS 6.1. (CVE-2019-8766)
"Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. This issue is fixed in macOS Catalina 10.15. A user may be unable to delete browsing history items. (CVE-2019-8768)
An issue existed in the drawing of web page elements. Visiting a maliciously crafted website may reveal browsing history. (CVE-2019-8769)
This issue was addressed with improved iframe sandbox enforcement. (CVE-2019-8846)
WebKitGTK up to and including 2.26.4 and WPE WebKit up to and including 2.26.4 (which are the versions right prior to 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. (CVE-2020-10018)
A use-after-free flaw exists in WebKitGTK. This flaw allows remote malicious users to execute arbitrary code or cause a denial of service. A malicious website may be able to cause a denial of service. A DOM object context may not have had a unique security origin. A file URL may be incorrectly processed. (CVE-2020-3885)
A race condition was addressed with additional validation. An application may be able to read restricted memory. (CVE-2020-3901)
An input validation issue was addressed with improved input validation. (CVE-2020-3902). JSC: DFG: Loop-invariant code motion (LICM) leaves object property access unguarded
Related CVE Numbers: CVE-2019-8671.
While fuzzing JavaScriptCore, I encountered the following (modified and commented) JavaScript program which crashes jsc from current HEAD and release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc):
function v2(trigger) {
// Force JIT compilation.
for (let v7 = 0; v7 < 1000000; v7++) { }
if (!trigger) {
// Will synthesize .length, .callee, and Symbol.iterator.
// See ScopedArguments::overrideThings [1]
arguments.length = 1;
}
for (let v11 = 0; v11 < 10; v11++) {
// The for-of loop (really the inlined array iterator) will fetch the
// .length property after a StructureCheck. However, the property fetch
// will be hoisted in front of the outer loop by LICM but the
// StructureCheck won't. Then, in the final invocation it will crash
// because .length hasn't been synthezised yet (and thus the butterfly
// is nullptr).
for (const v14 of arguments) {
const v18 = {a:1337};
// The with statement here probably prevents escape analysis /
// object allocation elimination from moving v18 into the stack,
// thus forcing DFG to actually allocate v18. Then, LICM sees a
// write to structure IDs (from the object allocation) and thus
// cannot hoist the structure check (reading a structure ID) in
// front of the loop.
with (v18) { }
}
}
}
for (let v23 = 0; v23 < 100; v23++) {
v2(false);
}
print(\"Triggering crash\");
v2(true);
Here is what appears to be happening:
When v2 is optimized by the FTL JIT, it will inline the ArrayIterator.next function for the for-of loop and thus produce the following DFG IR (of which many details were omitted for readability):
Block #8 (Before outer loop)
...
Block #10 (bc#180): \t\t(Outer loop)
104:<!0:-> CheckStructure(Check:Cell:@97, MustGen, [%Cp:Arguments], R:JSCell_structureID, Exits, bc#201, ExitValid)
105:< 2:-> GetButterfly(Cell:@97, Storage|UseAsOther, Other, R:JSObject_butterfly, Exits, bc#201, ExitValid)
Block #12 (bc#464 --> next#<no-hash>:<0x10a8a08c0> bc#43 --> arrayIteratorValueNext#<no-hash>:<0x10a8a0a00> bc#29): (Inner loop header)
378:< 4:-> GetByOffset(Check:Untyped:@105, KnownCell:@97, JS|PureInt|UseAsInt, BoolInt32, id2{length}, 100, R:NamedProperties(2), Exits, bc#34, ExitValid) predicting BoolInt32
Block #17 (bc#487): \t\t(Inner loop body)
267:< 8:-> NewObject(JS|UseAsOther, Final, %B8:Object, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#274, ExitValid)
273:<!0:-> PutByOffset(KnownCell:@267, KnownCell:@267, Check:Untyped:@270, MustGen, id7{a}, 0, W:NamedProperties(7), ClobbersExit, bc#278, ExitValid)
274:<!0:-> PutStructure(KnownCell:@267, MustGen, %B8:Object -> %EQ:Object, ID:45419, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#278, ExitInvalid)
Eventually, the loop-invariant code motion optimization runs [2], changing graph to the following:
Block #8 (Before outer loop)
...
105:< 2:-> GetButterfly(Cell:@97, Storage|UseAsOther, Other, R:JSObject_butterfly, Exits, bc#201, ExitValid)
378:< 4:-> GetByOffset(Check:Untyped:@105, KnownCell:@97, JS|PureInt|UseAsInt, BoolInt32, id2{length}, 100, R:NamedProperties(2), Exits, bc#34, ExitValid) predicting BoolInt32
Block #10 (bc#180): \t\t(Outer loop)
104:<!0:-> CheckStructure(Check:Cell:@97, MustGen, [%Cp:Arguments], R:JSCell_structureID, Exits, bc#201, ExitValid)
Block #12 (bc#464 --> next#<no-hash>:<0x10a8a08c0> bc#43 --> arrayIteratorValueNext#<no-hash>:<0x10a8a0a00> bc#29): (Inner loop header)
Block #17 (bc#487): \t\t(Inner loop body)
267:< 8:-> NewObject(JS|UseAsOther, Final, %B8:Object, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#274, ExitValid)
273:<!0:-> PutByOffset(KnownCell:@267, KnownCell:@267, Check:Untyped:@270, MustGen, id7{a}, 0, W:NamedProperties(7), ClobbersExit, bc#278, ExitValid)
274:<!0:-> PutStructure(KnownCell:@267, MustGen, %B8:Object -> %EQ:Object, ID:45419, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#278, ExitInvalid)
Here, the GetButterfly and GetByOffset operations, responsible for loading the .length property, were moved in front of the StructureCheck which is supposed to ensure that .length can be loaded in this way. This is clearly unsafe and will lead to a crash in the final invocation of the function when .length is not \"synthesized\" and thus the butterfly is nullptr.
To understand why this happens it is necessary to look at the requirements for hoisting operations [3]. One of them is that \"The node doesn't read anything that the loop writes.\". In this case the CheckStructure operation reads the structure ID from the object (\"R:JSCell_structureID\" in the IR above) and the PutStructure writes a structure ID (\"W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType\") as such the check cannot be hoisted because DFG cannot prove that the read value doesn't change in the loop body (note that here the compiler acts conservatively as it could, in this specific instance, determine that the structure ID being written to inside the loop is definitely not the one being read. It doesn't do so and instead only tracks abstract \"heap locations\" like the JSCell_structureID). However, as no operation in the loop bodies writes to either the JSObject_butterfly or the NamedProperties heap location (i.e. no Butterfly pointer or NamedProperty slot is ever written to inside the loop body), LICM incorrectly determined that the GetButterfly and GetByOffset operations could safely be hoisted in front of the loop body. See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1775 and https://bugs.chromium.org/p/project-zero/issues/detail?id=1789 for more information about the LICM optimization.
I suspect that this issue is more general (not limited to just `argument` objects) and allows bypassing of various StructureChecks in the JIT, thus likely being exploitable in many ways. However, I haven't confirmed that.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
[1] https://github.com/WebKit/webkit/blob/5dfe4ae818eba9866d5979035b72c482c16cbd6b/Source/JavaScriptCore/runtime/ScopedArguments.cpp#L130
[2] https://github.com/WebKit/webkit/blob/5dfe4ae818eba9866d5979035b72c482c16cbd6b/Source/JavaScriptCore/dfg/DFGPlan.cpp#L445
[3] https://github.com/WebKit/webkit/blob/5dfe4ae818eba9866d5979035b72c482c16cbd6b/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp#L168
Found by: saelo@google.com
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201909-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WebkitGTK+: Multiple vulnerabilities
Date: September 06, 2019
Bugs: #683234, #686216, #693122
ID: 201909-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in WebkitGTK+, the worst of
which could result in the arbitrary execution of code.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.24.4 >= 2.24.4
Description
===========
Multiple vulnerabilities have been discovered in WebkitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebkitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.24.4"
References
==========
[ 1 ] CVE-2019-11070
https://nvd.nist.gov/vuln/detail/CVE-2019-11070
[ 2 ] CVE-2019-6201
https://nvd.nist.gov/vuln/detail/CVE-2019-6201
[ 3 ] CVE-2019-6251
https://nvd.nist.gov/vuln/detail/CVE-2019-6251
[ 4 ] CVE-2019-7285
https://nvd.nist.gov/vuln/detail/CVE-2019-7285
[ 5 ] CVE-2019-7292
https://nvd.nist.gov/vuln/detail/CVE-2019-7292
[ 6 ] CVE-2019-8503
https://nvd.nist.gov/vuln/detail/CVE-2019-8503
[ 7 ] CVE-2019-8506
https://nvd.nist.gov/vuln/detail/CVE-2019-8506
[ 8 ] CVE-2019-8515
https://nvd.nist.gov/vuln/detail/CVE-2019-8515
[ 9 ] CVE-2019-8518
https://nvd.nist.gov/vuln/detail/CVE-2019-8518
[ 10 ] CVE-2019-8523
https://nvd.nist.gov/vuln/detail/CVE-2019-8523
[ 11 ] CVE-2019-8524
https://nvd.nist.gov/vuln/detail/CVE-2019-8524
[ 12 ] CVE-2019-8535
https://nvd.nist.gov/vuln/detail/CVE-2019-8535
[ 13 ] CVE-2019-8536
https://nvd.nist.gov/vuln/detail/CVE-2019-8536
[ 14 ] CVE-2019-8544
https://nvd.nist.gov/vuln/detail/CVE-2019-8544
[ 15 ] CVE-2019-8551
https://nvd.nist.gov/vuln/detail/CVE-2019-8551
[ 16 ] CVE-2019-8558
https://nvd.nist.gov/vuln/detail/CVE-2019-8558
[ 17 ] CVE-2019-8559
https://nvd.nist.gov/vuln/detail/CVE-2019-8559
[ 18 ] CVE-2019-8563
https://nvd.nist.gov/vuln/detail/CVE-2019-8563
[ 19 ] CVE-2019-8595
https://nvd.nist.gov/vuln/detail/CVE-2019-8595
[ 20 ] CVE-2019-8607
https://nvd.nist.gov/vuln/detail/CVE-2019-8607
[ 21 ] CVE-2019-8615
https://nvd.nist.gov/vuln/detail/CVE-2019-8615
[ 22 ] CVE-2019-8644
https://nvd.nist.gov/vuln/detail/CVE-2019-8644
[ 23 ] CVE-2019-8644
https://nvd.nist.gov/vuln/detail/CVE-2019-8644
[ 24 ] CVE-2019-8649
https://nvd.nist.gov/vuln/detail/CVE-2019-8649
[ 25 ] CVE-2019-8649
https://nvd.nist.gov/vuln/detail/CVE-2019-8649
[ 26 ] CVE-2019-8658
https://nvd.nist.gov/vuln/detail/CVE-2019-8658
[ 27 ] CVE-2019-8658
https://nvd.nist.gov/vuln/detail/CVE-2019-8658
[ 28 ] CVE-2019-8666
https://nvd.nist.gov/vuln/detail/CVE-2019-8666
[ 29 ] CVE-2019-8666
https://nvd.nist.gov/vuln/detail/CVE-2019-8666
[ 30 ] CVE-2019-8669
https://nvd.nist.gov/vuln/detail/CVE-2019-8669
[ 31 ] CVE-2019-8669
https://nvd.nist.gov/vuln/detail/CVE-2019-8669
[ 32 ] CVE-2019-8671
https://nvd.nist.gov/vuln/detail/CVE-2019-8671
[ 33 ] CVE-2019-8671
https://nvd.nist.gov/vuln/detail/CVE-2019-8671
[ 34 ] CVE-2019-8672
https://nvd.nist.gov/vuln/detail/CVE-2019-8672
[ 35 ] CVE-2019-8672
https://nvd.nist.gov/vuln/detail/CVE-2019-8672
[ 36 ] CVE-2019-8673
https://nvd.nist.gov/vuln/detail/CVE-2019-8673
[ 37 ] CVE-2019-8673
https://nvd.nist.gov/vuln/detail/CVE-2019-8673
[ 38 ] CVE-2019-8676
https://nvd.nist.gov/vuln/detail/CVE-2019-8676
[ 39 ] CVE-2019-8676
https://nvd.nist.gov/vuln/detail/CVE-2019-8676
[ 40 ] CVE-2019-8677
https://nvd.nist.gov/vuln/detail/CVE-2019-8677
[ 41 ] CVE-2019-8677
https://nvd.nist.gov/vuln/detail/CVE-2019-8677
[ 42 ] CVE-2019-8678
https://nvd.nist.gov/vuln/detail/CVE-2019-8678
[ 43 ] CVE-2019-8678
https://nvd.nist.gov/vuln/detail/CVE-2019-8678
[ 44 ] CVE-2019-8679
https://nvd.nist.gov/vuln/detail/CVE-2019-8679
[ 45 ] CVE-2019-8679
https://nvd.nist.gov/vuln/detail/CVE-2019-8679
[ 46 ] CVE-2019-8680
https://nvd.nist.gov/vuln/detail/CVE-2019-8680
[ 47 ] CVE-2019-8680
https://nvd.nist.gov/vuln/detail/CVE-2019-8680
[ 48 ] CVE-2019-8681
https://nvd.nist.gov/vuln/detail/CVE-2019-8681
[ 49 ] CVE-2019-8681
https://nvd.nist.gov/vuln/detail/CVE-2019-8681
[ 50 ] CVE-2019-8683
https://nvd.nist.gov/vuln/detail/CVE-2019-8683
[ 51 ] CVE-2019-8683
https://nvd.nist.gov/vuln/detail/CVE-2019-8683
[ 52 ] CVE-2019-8684
https://nvd.nist.gov/vuln/detail/CVE-2019-8684
[ 53 ] CVE-2019-8684
https://nvd.nist.gov/vuln/detail/CVE-2019-8684
[ 54 ] CVE-2019-8686
https://nvd.nist.gov/vuln/detail/CVE-2019-8686
[ 55 ] CVE-2019-8686
https://nvd.nist.gov/vuln/detail/CVE-2019-8686
[ 56 ] CVE-2019-8687
https://nvd.nist.gov/vuln/detail/CVE-2019-8687
[ 57 ] CVE-2019-8687
https://nvd.nist.gov/vuln/detail/CVE-2019-8687
[ 58 ] CVE-2019-8688
https://nvd.nist.gov/vuln/detail/CVE-2019-8688
[ 59 ] CVE-2019-8688
https://nvd.nist.gov/vuln/detail/CVE-2019-8688
[ 60 ] CVE-2019-8689
https://nvd.nist.gov/vuln/detail/CVE-2019-8689
[ 61 ] CVE-2019-8689
https://nvd.nist.gov/vuln/detail/CVE-2019-8689
[ 62 ] CVE-2019-8690
https://nvd.nist.gov/vuln/detail/CVE-2019-8690
[ 63 ] CVE-2019-8690
https://nvd.nist.gov/vuln/detail/CVE-2019-8690
[ 64 ] WSA-2019-0002
https://webkitgtk.org/security/WSA-2019-0002.html
[ 65 ] WSA-2019-0004
https://webkitgtk.org/security/WSA-2019-0004.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201909-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: webkitgtk4 security, bug fix, and enhancement update
Advisory ID: RHSA-2020:4035-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4035
Issue date: 2020-09-29
CVE Names: CVE-2019-6237 CVE-2019-6251 CVE-2019-8506
CVE-2019-8524 CVE-2019-8535 CVE-2019-8536
CVE-2019-8544 CVE-2019-8551 CVE-2019-8558
CVE-2019-8559 CVE-2019-8563 CVE-2019-8571
CVE-2019-8583 CVE-2019-8584 CVE-2019-8586
CVE-2019-8587 CVE-2019-8594 CVE-2019-8595
CVE-2019-8596 CVE-2019-8597 CVE-2019-8601
CVE-2019-8607 CVE-2019-8608 CVE-2019-8609
CVE-2019-8610 CVE-2019-8611 CVE-2019-8615
CVE-2019-8619 CVE-2019-8622 CVE-2019-8623
CVE-2019-8625 CVE-2019-8644 CVE-2019-8649
CVE-2019-8658 CVE-2019-8666 CVE-2019-8669
CVE-2019-8671 CVE-2019-8672 CVE-2019-8673
CVE-2019-8674 CVE-2019-8676 CVE-2019-8677
CVE-2019-8678 CVE-2019-8679 CVE-2019-8680
CVE-2019-8681 CVE-2019-8683 CVE-2019-8684
CVE-2019-8686 CVE-2019-8687 CVE-2019-8688
CVE-2019-8689 CVE-2019-8690 CVE-2019-8707
CVE-2019-8710 CVE-2019-8719 CVE-2019-8720
CVE-2019-8726 CVE-2019-8733 CVE-2019-8735
CVE-2019-8743 CVE-2019-8763 CVE-2019-8764
CVE-2019-8765 CVE-2019-8766 CVE-2019-8768
CVE-2019-8769 CVE-2019-8771 CVE-2019-8782
CVE-2019-8783 CVE-2019-8808 CVE-2019-8811
CVE-2019-8812 CVE-2019-8813 CVE-2019-8814
CVE-2019-8815 CVE-2019-8816 CVE-2019-8819
CVE-2019-8820 CVE-2019-8821 CVE-2019-8822
CVE-2019-8823 CVE-2019-8835 CVE-2019-8844
CVE-2019-8846 CVE-2019-11070 CVE-2020-3862
CVE-2020-3864 CVE-2020-3865 CVE-2020-3867
CVE-2020-3868 CVE-2020-3885 CVE-2020-3894
CVE-2020-3895 CVE-2020-3897 CVE-2020-3899
CVE-2020-3900 CVE-2020-3901 CVE-2020-3902
CVE-2020-10018 CVE-2020-11793
====================================================================
1. Summary:
An update for webkitgtk4 is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
3. Description:
WebKitGTK+ is port of the WebKit portable web rendering engine to the GTK+
platform. These packages provide WebKitGTK+ for GTK+ 3.
The following packages have been upgraded to a later upstream version:
webkitgtk4 (2.28.2). (BZ#1817144)
Security Fix(es):
* webkitgtk: Multiple security issues (CVE-2019-6237, CVE-2019-6251,
CVE-2019-8506, CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544,
CVE-2019-8551, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-8571,
CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594,
CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8607,
CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615,
CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8625, CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671,
CVE-2019-8672, CVE-2019-8673, CVE-2019-8674, CVE-2019-8676, CVE-2019-8677,
CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683,
CVE-2019-8684, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689,
CVE-2019-8690, CVE-2019-8707, CVE-2019-8710, CVE-2019-8719, CVE-2019-8720,
CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8743, CVE-2019-8763,
CVE-2019-8764, CVE-2019-8765, CVE-2019-8766, CVE-2019-8768, CVE-2019-8769,
CVE-2019-8771, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811,
CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816,
CVE-2019-8819, CVE-2019-8820, CVE-2019-8821, CVE-2019-8822, CVE-2019-8823,
CVE-2019-8835, CVE-2019-8844, CVE-2019-8846, CVE-2019-11070, CVE-2020-3862,
CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868, CVE-2020-3885,
CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900,
CVE-2020-3901, CVE-2020-3902, CVE-2020-10018, CVE-2020-11793)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
webkitgtk4-2.28.2-2.el7.src.rpm
x86_64:
webkitgtk4-2.28.2-2.el7.i686.rpm
webkitgtk4-2.28.2-2.el7.x86_64.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.i686.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-2.28.2-2.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
webkitgtk4-doc-2.28.2-2.el7.noarch.rpm
x86_64:
webkitgtk4-debuginfo-2.28.2-2.el7.i686.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.x86_64.rpm
webkitgtk4-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-devel-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
webkitgtk4-2.28.2-2.el7.src.rpm
x86_64:
webkitgtk4-2.28.2-2.el7.i686.rpm
webkitgtk4-2.28.2-2.el7.x86_64.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.i686.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-2.28.2-2.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
webkitgtk4-doc-2.28.2-2.el7.noarch.rpm
x86_64:
webkitgtk4-debuginfo-2.28.2-2.el7.i686.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.x86_64.rpm
webkitgtk4-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-devel-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
webkitgtk4-2.28.2-2.el7.src.rpm
ppc64:
webkitgtk4-2.28.2-2.el7.ppc.rpm
webkitgtk4-2.28.2-2.el7.ppc64.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.ppc.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.ppc64.rpm
webkitgtk4-jsc-2.28.2-2.el7.ppc.rpm
webkitgtk4-jsc-2.28.2-2.el7.ppc64.rpm
ppc64le:
webkitgtk4-2.28.2-2.el7.ppc64le.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.ppc64le.rpm
webkitgtk4-devel-2.28.2-2.el7.ppc64le.rpm
webkitgtk4-jsc-2.28.2-2.el7.ppc64le.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.ppc64le.rpm
s390x:
webkitgtk4-2.28.2-2.el7.s390.rpm
webkitgtk4-2.28.2-2.el7.s390x.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.s390.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.s390x.rpm
webkitgtk4-jsc-2.28.2-2.el7.s390.rpm
webkitgtk4-jsc-2.28.2-2.el7.s390x.rpm
x86_64:
webkitgtk4-2.28.2-2.el7.i686.rpm
webkitgtk4-2.28.2-2.el7.x86_64.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.i686.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.x86_64.rpm
webkitgtk4-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-devel-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
webkitgtk4-doc-2.28.2-2.el7.noarch.rpm
ppc64:
webkitgtk4-debuginfo-2.28.2-2.el7.ppc.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.ppc64.rpm
webkitgtk4-devel-2.28.2-2.el7.ppc.rpm
webkitgtk4-devel-2.28.2-2.el7.ppc64.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.ppc.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.ppc64.rpm
s390x:
webkitgtk4-debuginfo-2.28.2-2.el7.s390.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.s390x.rpm
webkitgtk4-devel-2.28.2-2.el7.s390.rpm
webkitgtk4-devel-2.28.2-2.el7.s390x.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.s390.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.s390x.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
webkitgtk4-2.28.2-2.el7.src.rpm
x86_64:
webkitgtk4-2.28.2-2.el7.i686.rpm
webkitgtk4-2.28.2-2.el7.x86_64.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.i686.rpm
webkitgtk4-debuginfo-2.28.2-2.el7.x86_64.rpm
webkitgtk4-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-devel-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-2.28.2-2.el7.x86_64.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.i686.rpm
webkitgtk4-jsc-devel-2.28.2-2.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
webkitgtk4-doc-2.28.2-2.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. References:
https://access.redhat.com/security/cve/CVE-2019-6237
https://access.redhat.com/security/cve/CVE-2019-6251
https://access.redhat.com/security/cve/CVE-2019-8506
https://access.redhat.com/security/cve/CVE-2019-8524
https://access.redhat.com/security/cve/CVE-2019-8535
https://access.redhat.com/security/cve/CVE-2019-8536
https://access.redhat.com/security/cve/CVE-2019-8544
https://access.redhat.com/security/cve/CVE-2019-8551
https://access.redhat.com/security/cve/CVE-2019-8558
https://access.redhat.com/security/cve/CVE-2019-8559
https://access.redhat.com/security/cve/CVE-2019-8563
https://access.redhat.com/security/cve/CVE-2019-8571
https://access.redhat.com/security/cve/CVE-2019-8583
https://access.redhat.com/security/cve/CVE-2019-8584
https://access.redhat.com/security/cve/CVE-2019-8586
https://access.redhat.com/security/cve/CVE-2019-8587
https://access.redhat.com/security/cve/CVE-2019-8594
https://access.redhat.com/security/cve/CVE-2019-8595
https://access.redhat.com/security/cve/CVE-2019-8596
https://access.redhat.com/security/cve/CVE-2019-8597
https://access.redhat.com/security/cve/CVE-2019-8601
https://access.redhat.com/security/cve/CVE-2019-8607
https://access.redhat.com/security/cve/CVE-2019-8608
https://access.redhat.com/security/cve/CVE-2019-8609
https://access.redhat.com/security/cve/CVE-2019-8610
https://access.redhat.com/security/cve/CVE-2019-8611
https://access.redhat.com/security/cve/CVE-2019-8615
https://access.redhat.com/security/cve/CVE-2019-8619
https://access.redhat.com/security/cve/CVE-2019-8622
https://access.redhat.com/security/cve/CVE-2019-8623
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8644
https://access.redhat.com/security/cve/CVE-2019-8649
https://access.redhat.com/security/cve/CVE-2019-8658
https://access.redhat.com/security/cve/CVE-2019-8666
https://access.redhat.com/security/cve/CVE-2019-8669
https://access.redhat.com/security/cve/CVE-2019-8671
https://access.redhat.com/security/cve/CVE-2019-8672
https://access.redhat.com/security/cve/CVE-2019-8673
https://access.redhat.com/security/cve/CVE-2019-8674
https://access.redhat.com/security/cve/CVE-2019-8676
https://access.redhat.com/security/cve/CVE-2019-8677
https://access.redhat.com/security/cve/CVE-2019-8678
https://access.redhat.com/security/cve/CVE-2019-8679
https://access.redhat.com/security/cve/CVE-2019-8680
https://access.redhat.com/security/cve/CVE-2019-8681
https://access.redhat.com/security/cve/CVE-2019-8683
https://access.redhat.com/security/cve/CVE-2019-8684
https://access.redhat.com/security/cve/CVE-2019-8686
https://access.redhat.com/security/cve/CVE-2019-8687
https://access.redhat.com/security/cve/CVE-2019-8688
https://access.redhat.com/security/cve/CVE-2019-8689
https://access.redhat.com/security/cve/CVE-2019-8690
https://access.redhat.com/security/cve/CVE-2019-8707
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8719
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8726
https://access.redhat.com/security/cve/CVE-2019-8733
https://access.redhat.com/security/cve/CVE-2019-8735
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8763
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8765
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8768
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8821
https://access.redhat.com/security/cve/CVE-2019-8822
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-11070
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX3OjINzjgjWX9erEAQjqsg/9FnSEJ3umFx0gtnsZIVRP9YxMIVZhVQ8z
rNnK/LGQWq1nPlNC5OF60WRcWA7cC74lh1jl/+xU6p+9JXTq9y9hQTd7Fcf+6T01
RYj2zJe6kGBY/53rhZJKCdb9zNXz1CkqsuvTPqVGIabUWTTlsBFnd6l4GK6QL4kM
XVQZyWtmSfmLII4Ocdav9WocJzH6o1TbEo+O9Fm6WjdVOK+/+VzPki0/dW50CQAK
R8u5tTXZR5m52RLmvhs/LTv3yUnmhEkhvrR0TtuR8KRfcP1/ytNwn3VidFefuAO1
PWrgpjIPWy/kbtZaZWK4fBblYj6bKCVD1SiBKQcOfCq0f16aqRP2niFoDXdAy467
eGu0JHkRsIRCLG2rY+JfOau5KtLRhRr0iRe5AhOVpAtUelzjAvEQEcVv4GmZXcwX
rXfeagSjWzdo8Mf55d7pjORXAKhGdO3FQSeiCvzq9miZq3NBX4Jm4raobeskw/rJ
1ONqg4fE7Gv7rks8QOy5xErwI8Ut1TGJAgYOD8rmRptr05hBWQFJCfmoc4KpxsMe
PJoRag0AZfYxYoMe5avMcGCYHosU63z3wS7gao9flj37NkEi6M134vGmCpPNmpGr
w5HQly9SO3mD0a92xOUn42rrXq841ZkVu89fR6j9wBn8NAKLWH6eUjZkVMNmLRzh
PKg+HFNkMjk=dS3G
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)
* SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)
* grafana: XSS vulnerability via a column style on the "Dashboard > Table
Panel" screen (CVE-2018-18624)
* js-jquery: prototype pollution in object's prototype leading to denial of
service or remote code execution or property injection (CVE-2019-11358)
* npm-serialize-javascript: XSS via unsafe characters in serialized regular
expressions (CVE-2019-16769)
* kibana: Prototype pollution in TSVB could result in arbitrary code
execution (ESA-2020-06) (CVE-2020-7013)
* nodejs-minimist: prototype pollution allows adding or modifying
properties of Object.prototype using a constructor or __proto__ payload
(CVE-2020-7598)
* npmjs-websocket-extensions: ReDoS vulnerability in
Sec-WebSocket-Extensions parser (CVE-2020-7662)
* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)
* jQuery: passing HTML containing <option> elements to manipulation methods
could result in untrusted code execution (CVE-2020-11023)
* grafana: stored XSS (CVE-2020-11110)
* grafana: XSS annotation popup vulnerability (CVE-2020-12052)
* grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
* nodejs-elliptic: improper encoding checks allows a certain degree of
signature malleability in ECDSA signatures (CVE-2020-13822)
* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)
* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)
* openshift/console: text injection on error page via crafted url
(CVE-2020-10715)
* kibana: X-Frame-Option not set by default might lead to clickjacking
(CVE-2020-10743)
* openshift: restricted SCC allows pods to craft custom network packets
(CVE-2020-14336)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section. Solution:
For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- -cli.html. Bugs fixed (https://bugzilla.redhat.com/):
907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
1767665 - CVE-2020-10715 openshift/console: text injection on error page via crafted url
1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1834550 - CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking
1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability
1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions
1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip
1848647 - CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures
1849044 - CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)
1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
1850572 - CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1858981 - CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets
1861044 - CVE-2020-11110 grafana: stored XSS
1874671 - CVE-2020-14336 ose-machine-config-operator-container: openshift: restricted SCC allows pods to craft custom network packets [openshift-4]
5. ------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004
------------------------------------------------------------------------
Date reported : August 29, 2019
Advisory ID : WSA-2019-0004
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2019-0004.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0004.html
CVE identifiers : CVE-2019-8644, CVE-2019-8649, CVE-2019-8658,
CVE-2019-8666, CVE-2019-8669, CVE-2019-8671,
CVE-2019-8672, CVE-2019-8673, CVE-2019-8676,
CVE-2019-8677, CVE-2019-8678, CVE-2019-8679,
CVE-2019-8680, CVE-2019-8681, CVE-2019-8683,
CVE-2019-8684, CVE-2019-8686, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, CVE-2019-8690.
CVE-2019-8644
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to G. Geshev working with Trend Micro's Zero Day Initiative.
CVE-2019-8649
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to Sergei Glazunov of Google Project Zero.
CVE-2019-8658
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to akayn working with Trend Micro's Zero Day Initiative.
CVE-2019-8666
Versions affected: WebKitGTK and WPE WebKit before 2.24.3.
Credit to Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security
Response Center of Qihoo 360 Technology Co. Ltd.
CVE-2019-8669
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to akayn working with Trend Micro's Zero Day Initiative.
CVE-2019-8671
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to Apple.
CVE-2019-8672
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to Samuel Groß of Google Project Zero.
CVE-2019-8673
Versions affected: WebKitGTK and WPE WebKit before 2.24.3.
Credit to Soyeon Park and Wen Xu of SSLab at Georgia Tech.
CVE-2019-8676
Versions affected: WebKitGTK and WPE WebKit before 2.24.3.
Credit to Soyeon Park and Wen Xu of SSLab at Georgia Tech.
CVE-2019-8677
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to Jihui Lu of Tencent KeenLab.
CVE-2019-8678
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to an anonymous researcher, Anthony Lai (@darkfloyd1014) of
Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a)
of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation
Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group,
Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho
(@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation.
CVE-2019-8679
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to Jihui Lu of Tencent KeenLab.
CVE-2019-8680
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to Jihui Lu of Tencent KeenLab.
CVE-2019-8681
Versions affected: WebKitGTK and WPE WebKit before 2.24.3.
Credit to G. Geshev working with Trend Micro Zero Day Initiative.
CVE-2019-8683
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to lokihardt of Google Project Zero.
CVE-2019-8684
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to lokihardt of Google Project Zero.
CVE-2019-8686
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to G. Geshev working with Trend Micro's Zero Day Initiative.
CVE-2019-8687
Versions affected: WebKitGTK and WPE WebKit before 2.24.3.
Credit to Apple.
CVE-2019-8688
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to Insu Yun of SSLab at Georgia Tech.
CVE-2019-8689
Versions affected: WebKitGTK and WPE WebKit before 2.24.3.
Credit to lokihardt of Google Project Zero.
CVE-2019-8690
Versions affected: WebKitGTK and WPE WebKit before 2.24.3.
Credit to Sergei Glazunov of Google Project Zero.
We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.
The WebKitGTK and WPE WebKit team,
August 29, 2019
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-8-13-4 Additional information for
APPLE-SA-2019-7-22-5 tvOS 12.4
tvOS 12.4 addresses the following:
Bluetooth
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB)
Description: An input validation issue existed in Bluetooth.
CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole
Tippenhauer of CISPA, Germany, and Prof. Kasper Rasmussen of
University of Oxford, England
Entry added August 13, 2019
Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero
Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8647: Samuel Groß and Natalie Silvanovich of Google Project
Zero
Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8660: Samuel Groß and Natalie Silvanovich of Google Project
Zero
FaceTime
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu
Foundation
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project
Zero
Heimdal
Available for: Apple TV 4K and Apple TV HD
Impact: An issue existed in Samba that may allow attackers to perform
unauthorized actions by intercepting communications between services
Description: This issue was addressed with improved checks to prevent
unauthorized actions.
CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team
and Catalyst
libxslt
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input
validation.
CVE-2019-13118: found by OSS-Fuzz
Profiles
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to restrict access to
websites
Description: A validation issue existed in the entitlement
verification.
CVE-2019-8698: Luke Deshotels, Jordan Beichler, and William Enck of
North Carolina State University; Costin Carabaș and Răzvan Deaconescu
of University POLITEHNICA of Bucharest
Quick Look
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker may be able to trigger a use-after-free in an
application deserializing an untrusted NSDictionary
Description: This issue was addressed with improved checks.
CVE-2019-8662: Natalie Silvanovich and Samuel Groß of Google Project
Zero
Siri
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero
UIFoundation
Available for: Apple TV 4K and Apple TV HD
Impact: Parsing a maliciously crafted office document may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8687: Apple
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero
Additional recognition
Game Center
We would like to acknowledge Min (Spark) Zheng and Xiaolong Bai of
Alibaba Inc. for their assistance.
MobileInstallation
We would like to acknowledge Dany Lisiansky (@DanyL931) for their
assistance.
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."
To check the current version of software, select
"Settings -> General -> About."
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl1S688pHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3HyXxAA
mG4VzHLTPDCtd3eXkDjN34xahbSiqapl+dcRPoJ4V8yTq2ZM7D+/6Ls4pRD/3oid
46YJfRDaH2J5kufrdYledP0fRXWZoi97tjfgewmP7qKJeftc/9y2qDqBPjnFzHxo
40BZaeVZjupKXyrPlT/Wy8kLZnBtufaEiwbrwkmR05hTuvP6MrQB9gC/YdQnVLTZ
8X7Rd9gIcTPl1cQ9lPvFRSxThsQMzQH69/amMYAhUfwuocn8GbVshVj8LNw7Ie2K
pNUqt/UuB+DhQfUTHAlNezVcuWGUWVELkCuF6xv5oy6Z8bbyClOnYmZUmV+Nhqe+
gHmUUGMlhVuJme1mf20eapB+bHX8eXzxC99ScVymHym459V9N2NpGKDQmh3Pb1Cg
OYMe7xyA7ckc8upqEl9WI+yyrRjlvuUUPXinmdldXnl0GFRfJfwbzsuoaQylIViE
CKd8oOpzcG/dU8FiRYp5vzW9H/LMOTLK2Q1zX5dDhK2V6J/yYfqemnSOEvHhYD5g
08Wm7GaY2kpPqmJ1Vvbtzh9+5AVTNRxpP38xJJde1G8rSUgXs+MkxAh5n6cv+pr/
xpGVpPNsO1uKeRzXjbkTERxH2r8q548caRgKEn6OoOGWhXm6O4YDzopkM6tbe8p1
yIawhwh3AST6+peshxryiatYNsHunnvjpYc72UDiuBU=
=KPlq
-----END PGP SIGNATURE-----
|
|
var-201912-0648
|
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Arbitrary code execution * Insufficient access restrictions * information leak * Service operation interruption (DoS) * Information falsification * Privilege escalation * Sandbox avoidance. WebKit is prone to a cross-site scripting vulnerability and multiple memory-corruption vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or execute arbitrary code in the context of the affected system. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Failed exploit attempts will likely cause a denial-of-service condition. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A memory corruption vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple iOS prior to 12.4; Windows-based iTunes prior to 12.9.6; tvOS prior to 12.4; Safari prior to 12.1.2; macOS Mojave prior to 10.14.6; watchOS prior to 5.3.
CVE-2019-8649: Sergei Glazunov of Google Project Zero
Installation note:
Safari 12.1.2 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-7-22-5 tvOS 12.4
tvOS 12.4 is now available and addresses the following:
Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero
Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8647: Samuel Groß and Natalie Silvanovich of Google Project
Zero
Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8660: Samuel Groß and Natalie Silvanovich of Google Project
Zero
FaceTime
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu
Foundation
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project
Zero
Heimdal
Available for: Apple TV 4K and Apple TV HD
Impact: An issue existed in Samba that may allow attackers to perform
unauthorized actions by intercepting communications between services
Description: This issue was addressed with improved checks to prevent
unauthorized actions.
CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team
and Catalyst
libxslt
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input
validation.
CVE-2019-13118: found by OSS-Fuzz
Profiles
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to restrict access to
websites
Description: A validation issue existed in the entitlement
verification. This issue was addressed with improved validation of
the process entitlement.
CVE-2019-8698: Luke Deshotels, Jordan Beichler, and William Enck of
North Carolina State University; Costin Carabaș and Răzvan
Deaconescu of University POLITEHNICA of Bucharest
Quick Look
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker may be able to trigger a use-after-free in an
application deserializing an untrusted NSDictionary
Description: This issue was addressed with improved checks.
CVE-2019-8662: Natalie Silvanovich and Samuel Groß of Google Project
Zero
Siri
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero
UIFoundation
Available for: Apple TV 4K and Apple TV HD
Impact: Parsing a maliciously crafted office document may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero
Day Initiative
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of document loads.
CVE-2019-8690: Sergei Glazunov of Google Project Zero
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of synchronous
page loads.
CVE-2019-8649: Sergei Glazunov of Google Project Zero
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from
Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative
CVE-2019-8671: Apple
CVE-2019-8672: Samuel Groß of Google Project Zero
CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8677: Jihui Lu of Tencent KeenLab
CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014)
of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin
(@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser
Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser
Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser
Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX
Browser Exploitation
CVE-2019-8679: Jihui Lu of Tencent KeenLab
CVE-2019-8680: Jihui Lu of Tencent KeenLab
CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8683: lokihardt of Google Project Zero
CVE-2019-8684: lokihardt of Google Project Zero
CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech,
Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL,
and Eric Lung (@Khlung1) of VXRL
CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8687: Apple
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero
Additional recognition
Game Center
We would like to acknowledge Min (Spark) Zheng and Xiaolong Bai of
Alibaba Inc. for their assistance.
MobileInstallation
We would like to acknowledge Dany Lisiansky (@DanyL931) for their
assistance.
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."
To check the current version of software, select
"Settings -> General -> About."
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl01+gkACgkQeC9tht7T
K3HIng/+O3TrJ2rffae06JdRTrmReKbK9C0yqbFO8mbQLZakvTJ8wMPBiE2e2SrU
KeFIyJmWKxhH/9/dMHxLYDyg0Venyej+Hy066iXKHLAzAE9ypaKJE1kj9RRuI1rv
sHdGhkPV2aov6xXn0hL0Reaf+xTqGzxsVhMtvpYZZUyMwkdYL0UFlk3SIBLcqMyt
6pzvhkhtWRuVbvyULZrqKoVHkxnjny/B/uWsqiQrWMTb9zif3kKyA/Z+/C3xCtMy
1zNR4qvzrh05+ElTCIm9RnNUSMnmGmv7HZOJOUGjGMqzzthW/nXnGPmcHgbQ22eY
5qqvzDdaJz24lkbQLKKGsknu98SivJuFp24MPazs64Ilnfjz3oPT4F7PvvuINtKs
vV5usjr6QzutshzQC1c6y6cnmrXJq8P33Z2gCNreeEc2foR/rJQA53P5lFU8Tenq
MfWB+VxcWI1Woth33HfISYalWr53jSjUENJvuPKMBhiUq5RBjvk/G6S0jvZPw72U
ut0EgOxJF4XfR5WjVc2nyN6n9ijZQCu3/VhNeK9SG1Q5AfyxcZPYTLFsjLdMvmwB
Gjurk0WmPdh2Xsh3M6d6oGDedLh3rzNo6mQ+cxKnSxUnxg912CIpSvmSccFAmk4p
kn7OwQb1VP68uCt4dmTpqi+nK0y0vMlD6ujAg2y8dPjBu+QOgtI=
=aULl
-----END PGP SIGNATURE-----
.
CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole
Tippenhauer of CISPA, Germany, and Prof.
Alternatively, on your watch, select "My Watch > General > About" |
|
var-200711-0538
|
Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918. In order to use this problem to perform cross-site scripting attacks, the attacker is malicious to the user. HTTP It is reported as a prerequisite to have the method submitted.
An attacker may exploit this issue to steal cookie-based authentication credentials and launch other attacks.
Apache 2.0.46 through 2.2.4 are vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200803-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Apache: Multiple vulnerabilities
Date: March 11, 2008
Bugs: #201163, #204410, #205195, #209899
ID: 200803-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Apache.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/apache < 2.2.8 >= 2.2.8
Description
===========
Adrian Pastor and Amir Azam (ProCheckUp) reported that the HTTP Method
specifier header is not properly sanitized when the HTTP return code is
"413 Request Entity too large" (CVE-2007-6203). The mod_proxy_balancer
module does not properly check the balancer name before using it
(CVE-2007-6422). The mod_proxy_ftp does not define a charset in its
answers (CVE-2008-0005). Stefano Di Paola (Minded Security) reported
that filenames are not properly sanitized within the mod_negociation
module (CVE-2008-0455, CVE-2008-0456).
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Apache users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.8"
References
==========
[ 1 ] CVE-2007-6203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203
[ 2 ] CVE-2007-6422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422
[ 3 ] CVE-2008-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
[ 4 ] CVE-2008-0455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0455
[ 5 ] CVE-2008-0456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0456
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200803-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license. ===========================================================
Ubuntu Security Notice USN-731-1 March 10, 2009
apache2 vulnerabilities
CVE-2007-6203, CVE-2007-6420, CVE-2008-1678, CVE-2008-2168,
CVE-2008-2364, CVE-2008-2939
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apache2-common 2.0.55-4ubuntu2.4
apache2-mpm-perchild 2.0.55-4ubuntu2.4
apache2-mpm-prefork 2.0.55-4ubuntu2.4
apache2-mpm-worker 2.0.55-4ubuntu2.4
Ubuntu 7.10:
apache2-mpm-event 2.2.4-3ubuntu0.2
apache2-mpm-perchild 2.2.4-3ubuntu0.2
apache2-mpm-prefork 2.2.4-3ubuntu0.2
apache2-mpm-worker 2.2.4-3ubuntu0.2
apache2.2-common 2.2.4-3ubuntu0.2
Ubuntu 8.04 LTS:
apache2-mpm-event 2.2.8-1ubuntu0.4
apache2-mpm-perchild 2.2.8-1ubuntu0.4
apache2-mpm-prefork 2.2.8-1ubuntu0.4
apache2-mpm-worker 2.2.8-1ubuntu0.4
apache2.2-common 2.2.8-1ubuntu0.4
In general, a standard system upgrade is sufficient to effect the
necessary changes. With cross-site scripting vulnerabilities, if a user were tricked into
viewing server output during a crafted server request, a remote attacker could
exploit this to modify the contents, or steal confidential data (such as
passwords), within the same domain. This issue only affected Ubuntu 6.06 LTS and
7.10. (CVE-2007-6203)
It was discovered that Apache was vulnerable to a cross-site request forgery
(CSRF) in the mod_proxy_balancer balancer manager. If an Apache administrator
were tricked into clicking a link on a specially crafted web page, an attacker
could trigger commands that could modify the balancer manager configuration.
This issue only affected Ubuntu 7.10 and 8.04 LTS. (CVE-2007-6420)
It was discovered that Apache had a memory leak when using mod_ssl with
compression. A remote attacker could exploit this to exhaust server memory,
leading to a denial of service. This issue only affected Ubuntu 7.10.
(CVE-2008-1678)
It was discovered that in certain conditions, Apache did not specify a default
character set when returning certain error messages containing UTF-7 encoded
data, which could result in browsers becoming vulnerable to cross-site scripting
attacks when processing the output. This issue only affected Ubuntu 6.06 LTS and
7.10. (CVE-2008-2168)
It was discovered that when configured as a proxy server, Apache did not limit
the number of forwarded interim responses. A malicious remote server could send
a large number of interim responses and cause a denial of service via memory
exhaustion. (CVE-2008-2364)
It was discovered that mod_proxy_ftp did not sanitize wildcard pathnames when
they are returned in directory listings, which could result in browsers becoming
vulnerable to cross-site scripting attacks when processing the output.
(CVE-2008-2939)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4.diff.gz
Size/MD5: 123478 7a5b444231dc27ee60c1bd63f42420c6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4.dsc
Size/MD5: 1156 4f9a0f31d136914cf7d6e1a92656a47b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.4_all.deb
Size/MD5: 2124948 5153435633998e4190b54eb101afd271
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 833336 d5b9ecf82467eb04a94957321c4a95a2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 228588 f4b9b82016eb22a60da83ae716fd028a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 223600 2cf77e3daaadcc4e07da5e19ecac2867
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 228216 60ff106ddefe9b68c055825bcd6ec52f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 171724 bae5e3d30111e97d34b25594993ad488
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 172508 77bdf00092378c89ae8be7f5139963e0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 94562 f3a168c57db1f5be11cfdba0bdc20062
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 36618 a7f34da28f7bae0cffb3fdb73da70143
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 286028 a5b380d9c6a651fe043ad2358ef61143
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_amd64.deb
Size/MD5: 144590 9a4031c258cfa264fb8baf305bc0cea6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 786528 353ed1839a8201d0211ede114565e60d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 203256 7b0caa06fd47a28a8a92d1b69c0b4667
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 199114 6a77314579722ca085726e4220be4e9f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 202654 ffad2838e3c8c79ecd7e21f79aa78216
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 171716 771492b2b238424e33e3e7853185c0ca
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 172498 b5f7a4ed03ebafa4c4ff75c05ebf53b7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 92520 787a673994d746b4ad3788c16516832a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 36620 4d5f0f18c3035f41cb8234af3cc1092c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 262082 d6a7111b9f2ed61e1aeb2f18f8713873
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_i386.deb
Size/MD5: 132518 5a335222829c066cb9a0ddcaeee8a0da
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 859446 cf555341c1a8b4a39808b8a3bd76e03a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 220622 85b902b9eecf3d40577d9e1e8bf61467
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 216314 146e689e30c6e1681048f6cf1dd659e3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 220128 10f65b3961a164e070d2f18d610df67b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 171726 9e341f225cb19d5c44f343cc68c0bba5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 172512 331dff8d3de7cd694d8e115417bed4f8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 104284 7ab80f14cd9072d23389e27f934079f3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 36620 713bfffcca8ec4e9531c635069f1cd0d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 281600 ad1671807965e2291b5568c7b4e95e14
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_powerpc.deb
Size/MD5: 141744 6b04155aa1dbf6f657dbfa27d6086617
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 803706 f14be1535acf528f89d301c8ec092015
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 211028 28b74d86e10301276cadef208b460658
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 206566 6d6b2e1e3e0bbf8fc0a0bcca60a33339
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 210280 45690384f2e7e0a2168d7867283f9145
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 171732 6595a330344087593a9443b9cdf5e4ba
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 172498 f1ac3a442b21db9d2733e8221b218e25
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 93606 f229d1c258363d2d0dfb3688ec96638e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 36616 6f470e2e17dfc6d587fbe2bf861bfb06
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 268178 5a853d01127853405a677c53dc2bf254
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_sparc.deb
Size/MD5: 130456 a0a51bb9405224948b88903779347427
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2.diff.gz
Size/MD5: 125080 c5c1b91f6918d42a75d23e95799b3707
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2.dsc
Size/MD5: 1333 b028e602b998a666681d1aa73b980c06
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4.orig.tar.gz
Size/MD5: 6365535 3add41e0b924d4bb53c2dee55a38c09e
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.4-3ubuntu0.2_all.deb
Size/MD5: 2211750 9dc3a7e0431fe603bbd82bf647d2d1f5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.4-3ubuntu0.2_all.deb
Size/MD5: 278670 985dd1538d0d2c6bb74c458eaada1cb7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.4-3ubuntu0.2_all.deb
Size/MD5: 6702036 3cdb5e1a9d22d7172adfd066dd42d71a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2_all.deb
Size/MD5: 42846 ba7b0cbf7f33ac3b6321c132bc2fec71
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_amd64.deb
Size/MD5: 457286 b37825dc4bb0215284181aa5dfc9dd44
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_amd64.deb
Size/MD5: 453094 380ea917048a64c2c9bc12d768ac2ffa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_amd64.deb
Size/MD5: 456804 b075ef4e563a55c7977af4d82d90e493
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_amd64.deb
Size/MD5: 410658 6dff5030f33af340b2100e8591598d9d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_amd64.deb
Size/MD5: 411244 9c79a2c0a2d4d8a88fae1b3f10d0e27c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_amd64.deb
Size/MD5: 348256 ef1e159b64fe2524dc94b6ab9e22cefb
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_amd64.deb
Size/MD5: 992256 0e9bac368bc57637079f839bcce8ebbc
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_i386.deb
Size/MD5: 440388 bdb2ced3ca782cda345fcfb109e8b02a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_i386.deb
Size/MD5: 436030 44d372ff590a6e42a83bcd1fb5e546fe
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_i386.deb
Size/MD5: 439732 5119be595fb6ac6f9dd94d01353da257
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_i386.deb
Size/MD5: 410656 01be0eca15fe252bbcab7562462af5ca
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_i386.deb
Size/MD5: 411250 10d8929e9d37050488f2906fde13b2fd
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_i386.deb
Size/MD5: 347322 d229c56720ae5f1f83645f66e1bfbdf1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_i386.deb
Size/MD5: 947460 3dc120127b16134b42e0124a1fdfa4ab
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_lpia.deb
Size/MD5: 439896 8e856643ebeed84ffbeb6150f6e917c5
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_lpia.deb
Size/MD5: 435524 ce18d9e09185526c93c6af6db7a6b5cf
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_lpia.deb
Size/MD5: 439180 9622bf2dfee7941533faedd2e2d4ebbd
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_lpia.deb
Size/MD5: 410674 684ad4367bc9250468351b5807dee424
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_lpia.deb
Size/MD5: 411258 17f53e8d3898607ce155dc333237690c
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_lpia.deb
Size/MD5: 347664 1197aa4145372ae6db497fb157cb0da1
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_lpia.deb
Size/MD5: 939924 470a7163e2834781b2db0689750ce0f2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_powerpc.deb
Size/MD5: 458848 4efbbcc96f05a03301a13448f9cb3c01
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_powerpc.deb
Size/MD5: 454226 1fe4c7712fd4597ed37730a27df95113
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_powerpc.deb
Size/MD5: 458134 5786d901931cecd340cc1879e27bcef7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_powerpc.deb
Size/MD5: 410676 9fc94d5b21a8b0f7f8aab9dc60339abf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_powerpc.deb
Size/MD5: 411266 c44cde12a002910f9df02c10cdd26b0c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_powerpc.deb
Size/MD5: 367392 612ddcebee145f765163a0b30124393a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_powerpc.deb
Size/MD5: 1094288 72fd7d87f4876648d1e14a5022c61b00
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_sparc.deb
Size/MD5: 441650 28e5a2c2d18239c0810b6de3584af221
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_sparc.deb
Size/MD5: 437796 3ee7408c58fbdf8de6bf681970c1c9ad
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_sparc.deb
Size/MD5: 441114 b1b1bb871fe0385ea4418d533f0669aa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_sparc.deb
Size/MD5: 410676 cf7bed097f63e3c24337813621866498
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_sparc.deb
Size/MD5: 411252 5a30177f7039f52783576e126cf042d0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_sparc.deb
Size/MD5: 350468 ce216a4e9739966cd2aca4262ba0ea4e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_sparc.deb
Size/MD5: 959090 98ad8ee7328f25e1e81e110bbfce10c2
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4.diff.gz
Size/MD5: 132376 1a3c4e93f08a23c3a3323cb02f5963b6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4.dsc
Size/MD5: 1379 ed1a1e5de71b0e35100f60b21f959db4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz
Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.4_all.deb
Size/MD5: 1928164 86b52d997fe3e4baf9712be0562eed2d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.4_all.deb
Size/MD5: 72176 1f4efe37abf317c3c42c4c0a79a4f232
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.4_all.deb
Size/MD5: 6254152 fe271b0e4aa0cf80e99b866c23707b6a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4_all.deb
Size/MD5: 45090 3f44651df13cfd495d7c33dda1c709ea
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_amd64.deb
Size/MD5: 252272 3d27b0311303e7c5912538fb7d4fc37c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_amd64.deb
Size/MD5: 247850 1ce7ff6190c21da119d98b7568f2e5d0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_amd64.deb
Size/MD5: 251658 ac7bc78b449cf8d28d4c10478c6f1409
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_amd64.deb
Size/MD5: 204658 66e95c370f2662082f3ec41e4a033877
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_amd64.deb
Size/MD5: 205336 6b1e7e0ab97b7dd4470c153275f1109c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_amd64.deb
Size/MD5: 140940 cad14e08ab48ca8eb06480c0db686779
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_amd64.deb
Size/MD5: 801764 3759103e3417d44bea8866399ba34a66
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_i386.deb
Size/MD5: 235194 dddbc62f458d9f1935087a072e1c6f67
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_i386.deb
Size/MD5: 230748 db0a1dc277de5886655ad7b1cc5b0f1a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_i386.deb
Size/MD5: 234542 0e4997e9ed55d6086c439948cf1347ff
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_i386.deb
Size/MD5: 204672 1f58383838b3b9f066e855af9f4e47e0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_i386.deb
Size/MD5: 205348 fa032fc136c5b26ccf364289a93a1cda
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_i386.deb
Size/MD5: 139904 b503316d420ccb7efae5082368b95e01
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_i386.deb
Size/MD5: 754788 140fddccc1a6d3dc743d37ab422438c2
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_lpia.deb
Size/MD5: 234752 bc06d67259257109fe8fc17204bc9950
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_lpia.deb
Size/MD5: 230424 9421376c8f6d64e5c87af4f484b8aacf
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_lpia.deb
Size/MD5: 233908 179236460d7b7b71dff5e1d1ac9f0509
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_lpia.deb
Size/MD5: 204664 764d773d28d032767d697eec6c6fd50a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_lpia.deb
Size/MD5: 205342 2891770939b51b1ca6b8ac8ca9142db1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_lpia.deb
Size/MD5: 140478 4a062088427f1d8b731e06d64eb7e2ea
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_lpia.deb
Size/MD5: 748672 b66dbda7126616894cf97eb93a959af9
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_powerpc.deb
Size/MD5: 253368 bad43203ed4615216bf28f6da7feb81b
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_powerpc.deb
Size/MD5: 248800 aa757fd46cd79543a020dcd3c6aa1b26
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_powerpc.deb
Size/MD5: 252904 682a940b7f3d14333037c80f7f01c793
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_powerpc.deb
Size/MD5: 204678 30af6c826869b647bc60ed2d99cc30f7
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_powerpc.deb
Size/MD5: 205376 cd02ca263703a6049a6fe7e11f72c98a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_powerpc.deb
Size/MD5: 157662 df6cdceecb8ae9d25bbd614142da0151
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_powerpc.deb
Size/MD5: 904904 34581d1b3c448a5de72a06393557dd48
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_sparc.deb
Size/MD5: 236418 2eda543f97646f966f5678e2f2a0ba90
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_sparc.deb
Size/MD5: 232386 69e2419f27867b77d94a652a83478ad7
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_sparc.deb
Size/MD5: 235788 414a49286d9e8dd7b343bd9207dc727b
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_sparc.deb
Size/MD5: 204668 f7d099cd9d3ebc0baccbdd896c94a88f
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_sparc.deb
Size/MD5: 205352 0a5cb5dfd823b4e6708a9bcc633a90cd
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_sparc.deb
Size/MD5: 143108 ad78ead4ac992aec97983704b1a3877f
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_sparc.deb
Size/MD5: 763946 0d40a8ebecfef8c1a099f2170fcddb73
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01905287
Version: 1
HPSBUX02465 SSRT090192 rev.1 - HP-UX Running Apache-based Web Server, Remote Denial of Service (DoS) Cross-Site Scripting (XSS) Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-10-21
Last Updated: 2009-10-21
Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS) or unauthorized access. Apache-based Web Server is contained in the Apache Web Server Suite.
References: CVE-2006-3918, CVE-2007-4465, CVE-2007-6203, CVE-2008-0005, CVE-2008-0599, CVE-2008-2168, CVE-2008-2364, CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-2939, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5498, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658.
HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before v2.2.8.05
HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server versions before v2.0.59.12
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2006-3918 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2007-4465 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2007-6203 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-0005 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-0599 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2008-2168 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2364 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2008-2371 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-2665 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-2666 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-2829 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-3658 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-3659 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4
CVE-2008-3660 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2008-5498 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-5557 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2008-5624 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5625 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5658 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL http://software.hp.com
Note: HP-UX Web Server Suite v3.06 contains HP-UX Apache-based Web Server v2.2.8.05
Note: HP-UX Web Server Suite v2.27 contains HP-UX Apache-based Web Server v2.0.59.12
Web Server Suite Version
HP-UX Release
Depot name
Web Server v3.06
B.11.23 and B.11.31 PA-32
HPUX22SATW-1123-32.depot
Web Server v3.06
B.11.23 and B.11.31 IA-64
HPUX22SATW-1123-64.depot
Web Server v2.27
B.11.11 PA-32
HPUXSATW-1111-64-32.depot
Web Server v2.27
B.11.23 PA-32 and IA-64
HPUXWSATW-1123-64-bit.depot
Web Server v2.27
B.11.31 IA-32 and IA-64
HPUXSATW-1131-64.depot
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server from the Apache Web Server Suite v2.27 or subsequent
or
Install Apache-based Web Server from the Apache Web Server Suite v3.06 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For Web Server Suite before v3.06
HP-UX B.11.23
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
action: install revision B.2.2.8.05 or subsequent
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
action: install revision B.2.2.8.05 or subsequent
For Web Server Suite before v2.27
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.12 or subsequent
HP-UX B.11.23
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.12 or subsequent
HP-UX B.11.31
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.12 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 21 October 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEUEARECAAYFAkrguYgACgkQ4B86/C0qfVliOACWIZufVcaJyE/ap8OAmQqT87S7
hQCeKCPftsEV+4JPzQKz4B+EnYzQsJ0=
=TAoy
-----END PGP SIGNATURE-----
|
|
var-201904-1444
|
Multiple memory corruption issues were addressed with improved memory handling. This issue affected versions prior to iOS 12.1, tvOS 12.1, watchOS 5.1, Safari 12.0.1, iTunes 12.9.1, iCloud for Windows 7.8. plural Apple There are multiple memory corruption vulnerabilities in the product due to flaws in memory handling.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A buffer error vulnerability exists in the WebKit component of several Apple products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
Alternatively, on your watch, select "My Watch > General > About".
CVE-2018-4378: an anonymous researcher, zhunki of 360 ESG Codesafe
Team
Installation note:
Safari 12.0.1 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2018-10-30-1 iOS 12.1
iOS 12.1 is now available and addresses the following:
AppleAVD
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing malicious video via FaceTime may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4384: Natalie Silvanovich of Google Project Zero
Contacts
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted vcf file may lead to a
denial of service
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2018-4365: an anonymous researcher
CoreCrypto
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker may be able to exploit a weakness in the
Miller-Rabin primality test to incorrectly identify prime numbers
Description: An issue existed in the method for determining prime
numbers.
CVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of
Royal Holloway, University of London, and Juraj Somorovsky of Ruhr
University, Bochum
FaceTime
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A remote attacker may be able to leak memory
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4366: Natalie Silvanovich of Google Project Zero
FaceTime
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A remote attacker may be able to initiate a FaceTime call
causing arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4367: Natalie Silvanovich of Google Project Zero
Graphics Driver
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A remote attacker may be able to initiate a FaceTime call
causing arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4384: Natalie Silvanovich of Google Project Zero
ICU
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted string may lead to heap
corruption
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4394: an anonymous researcher
IOHIDFamily
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4427: Pangu Team
IPSec
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2018-4420: Mohamed Ghannam (@_simo36)
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security
Team
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4419: Mohamed Ghannam (@_simo36)
Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted text message may lead to UI
spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF
Chapter
CVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF
Chapter
NetworkExtension
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Connecting to a VPN server may leak DNS queries to a DNS
proxy
Description: A logic issue was addressed with improved state
management.
CVE-2018-4369: an anonymous researcher
Notes
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local attacker may be able to share items from the lock
screen
Description: A lock screen issue allowed access to the share function
on a locked device. This issue was addressed by restricting options
offered on a locked device.
CVE-2018-4388: videosdebarraquito
Safari Reader
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: A logic issue was addressed with improved validation.
CVE-2018-4374: Ryan Pickren (ryanpickren.com)
Safari Reader
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Enabling the Safari Reader feature on a maliciously crafted
webpage may lead to universal cross site scripting
Description: A cross-site scripting issue existed in Safari.
CVE-2018-4377: Ryan Pickren (ryanpickren.com)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted S/MIME signed message may
lead to a denial of service
Description: A validation issue was addressed with improved logic.
CVE-2018-4400: Yukinobu Nagayasu of LAC Co., Ltd.
VoiceOver
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local attacker may be able to view photos from the lock
screen
Description: A lock screen issue allowed access to photos via Reply
With Message on a locked device.
CVE-2018-4387: videosdebarraquito
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A logic issue was addressed with improved state
management.
CVE-2018-4385: an anonymous researcher
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4409: Sabri Haddouche (@pwnsdx) of Wire Swiss GmbH
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2018-4378: an anonymous researcher, zhunki of 360 ESG Codesafe
Team
WiFi
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile
Networking Lab at Technische UniversitA$?t Darmstadt
Additional recognition
Certificate Signing
We would like to acknowledge YiAit Can YILMAZ (@yilmazcanyigit) for
their assistance.
iBooks
We would like to acknowledge Sem VoigtlA$?nder of Fontys Hogeschool
ICT for their assistance.
Security
We would like to acknowledge Marinos Bernitsas of Parachute for their
assistance.
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 12.1".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgUpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3HpTw/7
Bkh9bUEddgGUejpnjO1DRiBlHUDQMssF7nG2LM5JOcCDoLkeHSdcr86KnR7VEyYp
qSllLijO9ZzrLtJuZSEelDCi+eL1Ojk3kP/6ZeMRIxDkYItR7EFWQUK71wcInk5k
qPZp2FnKU3qx0Ax7wzQi3GTQk8CZCVWcuCzh0UA0Nc3rgk0bf29+7AKmgiTaT2Ra
Yo4bRIXRuyi+jE39hN4x41vwjSbaxr5EZb9rvL5HT6Idipcoc9aS+sDbsscXjz/5
9WHlwAB5mxeqO3vY5WNlLhOUXXqMVRfPC/qxQocl86r2AE9jJedQFl/p9qpG59we
FrAejzKTU+1GpI4dGY6puAJval5DlcedWBxsyBxFAT04HdY0pfgF4zpFDTHRj6no
HnEvtF+pNgqX2OTTLCXtMG4r5c7b1yrOPYkM6FS+BjLV2H0X9n3PpvX0qvAqSTn3
RGbkJqHFV4G/DwsWUQQOOXNCthEwhzbT2n7mc+rCtN1WPUu99fGGZusMAqetmVvl
hgUIVPp9+ZHs64BlTzD+xu8e6jyoJ8YoPD9a/r+ENXxHJz6Mr8Jd/E2ZesN5tWpi
sO3ajUx/d158T4jfAvIE8tJGungUgehPVIIR5120nYxHc6gMUAYzirwFptfvSpb8
HWzMnE69KcP9Lnhtgp7fRv+HKpJmrsjOLKyldZzjZlA=
=cetI
-----END PGP SIGNATURE-----
. ------------------------------------------------------------------------
WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0008
------------------------------------------------------------------------
Date reported : November 21, 2018
Advisory ID : WSA-2018-0008
WebKitGTK+ Advisory URL :
https://webkitgtk.org/security/WSA-2018-0008.html
WPE WebKit Advisory URL :
https://wpewebkit.org/security/WSA-2018-0008.html
CVE identifiers : CVE-2018-4345, CVE-2018-4372, CVE-2018-4373,
CVE-2018-4375, CVE-2018-4376, CVE-2018-4378,
CVE-2018-4382, CVE-2018-4386, CVE-2018-4392,
CVE-2018-4416.
Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.
CVE-2018-4345
Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
2.22.1.
Credit to an anonymous researcher.
A cross-site scripting issue existed in WebKit. This issue was
addressed with improved URL validation.
CVE-2018-4372
Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before
2.22.2.
Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST
Softsec Lab, Korea.
Processing maliciously crafted web content may lead to arbitrary
code execution.
CVE-2018-4373
Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
Credit to ngg, alippai, DirtYiCE, KT of Tresorit working with Trend
Microys Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution.
CVE-2018-4375
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
2.22.0.
Credit to Yu Haiwan and Wu Hongjun From Nanyang Technological
University working with Trend Micro's Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution.
CVE-2018-4376
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
2.22.0.
Credit to 010 working with Trend Micro's Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution.
CVE-2018-4378
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
2.22.0.
Credit to an anonymous researcher, zhunki of 360 ESG Codesafe Team.
Processing maliciously crafted web content may lead to code
execution.
CVE-2018-4382
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
2.22.0.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary
code execution.
CVE-2018-4386
Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
2.22.1.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary
code execution.
CVE-2018-4392
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
2.22.0.
Credit to zhunki of 360 ESG Codesafe Team.
Processing maliciously crafted web content may lead to arbitrary
code execution.
CVE-2018-4416
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
2.22.0.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary
code execution.
We recommend updating to the latest stable versions of WebKitGTK+ and
WPE WebKit. It is the best way to ensure that you are running safe
versions of WebKit. Please check our websites for information about the
latest stable releases.
Further information about WebKitGTK+ and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.
The WebKitGTK+ and WPE WebKit team,
November 21, 2018
|
|
var-201706-0271
|
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. Apache httpd Is NULL A vulnerability related to pointer dereference exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ==========================================================================
Ubuntu Security Notice USN-3373-1
July 31, 2017
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Apache HTTP Server. This update adds a
new ap_get_basic_auth_components() function for use by third-party
modules. (CVE-2017-3169)
Javier JimA(c)nez discovered that the Apache HTTP Server incorrectly
handled parsing certain requests. (CVE-2017-7679)
David Dennerline and RA(c)gis Leroy discovered that the Apache HTTP Server
incorrectly handled unusual whitespace when parsing requests, contrary
to specifications. This update may
introduce compatibility issues with clients that do not strictly follow
HTTP protocol specifications. A new configuration option
"HttpProtocolOptions Unsafe" can be used to revert to the previous
unsafe behaviour in problematic environments. (CVE-2016-8743)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
A apache2.2-binA A A A A A A A A A A A A A A A A A A 2.2.22-1ubuntu1.12
In general, a standard system update will make all the necessary
changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Apache: Multiple vulnerabilities
Date: October 29, 2017
Bugs: #622240, #624868, #631308
ID: 201710-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Apache, the worst of which
may result in the loss of secrets.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/apache < 2.4.27-r1 >= 2.4.27-r1
Description
===========
Multiple vulnerabilities have been discovered in Apache. Please review
the referenced CVE identifiers for details.
Impact
======
The Optionsbleed vulnerability can leak arbitrary memory from the
server process that may contain secrets.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Apache users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.27-r1"
References
==========
[ 1 ] CVE-2017-3167
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167
[ 2 ] CVE-2017-3169
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169
[ 3 ] CVE-2017-7659
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7659
[ 4 ] CVE-2017-7668
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668
[ 5 ] CVE-2017-7679
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679
[ 6 ] CVE-2017-9788
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9788
[ 7 ] CVE-2017-9789
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9789
[ 8 ] CVE-2017-9798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201710-32
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: httpd24-httpd security update
Advisory ID: RHSA-2017:2483-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2483
Issue date: 2017-08-16
CVE Names: CVE-2017-3167 CVE-2017-3169 CVE-2017-7659
CVE-2017-7668 CVE-2017-7679 CVE-2017-9788
=====================================================================
1. Summary:
An update for httpd24-httpd is now available for Red Hat Software
Collections.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
3. Description:
The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
Security Fix(es):
* It was discovered that the httpd's mod_auth_digest module did not
properly initialize memory before using it when processing certain headers
related to digest authentication. A remote attacker could possibly use this
flaw to disclose potentially sensitive information or cause httpd child
process to crash by sending specially crafted requests to a server.
(CVE-2017-9788)
* It was discovered that the use of httpd's ap_get_basic_auth_pw() API
function outside of the authentication phase could lead to authentication
bypass. A remote attacker could possibly use this flaw to bypass required
authentication if the API was used incorrectly by one of the modules used
by httpd. (CVE-2017-3167)
* A NULL pointer dereference flaw was found in the httpd's mod_ssl module.
A remote attacker could use this flaw to cause an httpd child process to
crash if another module used by httpd called a certain API function during
the processing of an HTTPS request. A remote attacker could use this flaw to cause httpd child process
to crash via a specially crafted HTTP/2 request. (CVE-2017-7659)
* A buffer over-read flaw was found in the httpd's ap_find_token()
function. A remote attacker could use this flaw to cause httpd child
process to crash via a specially crafted HTTP request. (CVE-2017-7668)
* A buffer over-read flaw was found in the httpd's mod_mime module. A user
permitted to modify httpd's MIME configuration could use this flaw to cause
httpd child process to crash. (CVE-2017-7679)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted
automatically.
5. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
httpd24-httpd-2.4.25-9.el6.1.src.rpm
noarch:
httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm
x86_64:
httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):
Source:
httpd24-httpd-2.4.25-9.el6.1.src.rpm
noarch:
httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm
x86_64:
httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
httpd24-httpd-2.4.25-9.el6.1.src.rpm
noarch:
httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm
x86_64:
httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm
httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm
httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
httpd24-httpd-2.4.25-9.el7.1.src.rpm
noarch:
httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm
x86_64:
httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):
Source:
httpd24-httpd-2.4.25-9.el7.1.src.rpm
noarch:
httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm
x86_64:
httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
httpd24-httpd-2.4.25-9.el7.1.src.rpm
noarch:
httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm
x86_64:
httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm
httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm
httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-3167
https://access.redhat.com/security/cve/CVE-2017-3169
https://access.redhat.com/security/cve/CVE-2017-7659
https://access.redhat.com/security/cve/CVE-2017-7668
https://access.redhat.com/security/cve/CVE-2017-7679
https://access.redhat.com/security/cve/CVE-2017-9788
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFZlNCpXlSAg2UNWIIRArzwAJwNfAuroR6X18rUh+zmjiMy5iBkdwCeJF6e
4v4GwWYC+5xG0xxXzTEQyAg=
=UV+2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6) - i386, noarch, x86_64
3. (CVE-2017-7679)
* A use-after-free flaw was found in the way httpd handled invalid and
previously unregistered HTTP methods specified in the Limit directive used
in an .htaccess file. (CVE-2017-9798)
Red Hat would like to thank Hanno BAPck for reporting CVE-2017-9798. This software, such as Apache HTTP Server, is
common to multiple JBoss middleware products, and is packaged under Red Hat
JBoss Core Services to allow for faster distribution of updates, and for a
more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23
Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache
HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are
documented in the Release Notes document linked to in the References.
Security Fix(es):
* An out-of-bounds array dereference was found in apr_time_exp_get(). An
attacker could abuse an unvalidated usage of this function to cause a
denial of service or potentially lead to data leak. JIRA issues fixed (https://issues.jboss.org/):
JBCS-402 - Errata for httpd 2.4.23.SP3 RHEL7
7 |
|
var-202105-1431
|
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. IEEE 802.11 The standard has vulnerabilities related to lack of certification for critical functions.Information may be tampered with. A flaw was found in the Linux kernels implementation of wifi fragmentation handling. An attacker with the ability to transmit within the wireless transmission range of an access point can abuse a flaw where previous contents of wifi fragments can be unintentionally transmitted to another device. (CVE-2020-24586)
A flaw was found in the Linux kernel's WiFi implementation. An attacker within the wireless range can abuse a logic flaw in the WiFi implementation by reassembling packets from multiple fragments under different keys, treating them as valid. This flaw allows an malicious user to send a fragment under an incorrect key, treating them as a valid fragment under the new key. The highest threat from this vulnerability is to confidentiality. (CVE-2020-24587)
A flaw was found in the Linux kernels wifi implementation. An attacker within wireless broadcast range can inject custom data into the wireless communication circumventing checks on the data. This can cause the frame to pass checks and be considered a valid frame of a different type. (CVE-2020-24588)
Frames used for authentication and key management between the AP and connected clients. Some clients may take these redirected frames masquerading as control mechanisms from the AP. (CVE-2020-26139)
A vulnerability was found in Linux kernel's WiFi implementation. An attacker within wireless range can inject a control packet fragment where the kernel does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. (CVE-2020-26141)
A flaw was found in ath10k_htt_rx_proc_rx_frag_ind_hl in drivers/net/wireless/ath/ath10k/htt_rx.c in the Linux kernel WiFi implementations, where it accepts a second (or subsequent) broadcast fragments even when sent in plaintext and then process them as full unfragmented frames. The highest threat from this vulnerability is to integrity. (CVE-2020-26145)
A flaw was found in ieee80211_rx_h_defragment in net/mac80211/rx.c in the Linux Kernel's WiFi implementation. This vulnerability can be abused to inject packets or exfiltrate selected fragments when another device sends fragmented frames, and the WEP, CCMP, or GCMP data-confidentiality protocol is used. The highest threat from this vulnerability is to integrity. (CVE-2020-26147)
A flaw was found in the Linux kernel in certs/blacklist.c, When signature entries for EFI_CERT_X509_GUID are contained in the Secure Boot Forbidden Signature Database, the entries are skipped. This can cause a security threat and breach system integrity, confidentiality and even lead to a denial of service problem. (CVE-2020-26541)
A vulnerability was found in the bluez, where Passkey Entry protocol used in Secure Simple Pairing (SSP), Secure Connections (SC) and LE Secure Connections (LESC) of the Bluetooth Core Specification is vulnerable to an impersonation attack where an active attacker can impersonate the initiating device without any previous knowledge. (CVE-2020-26558)
A flaw was found in the Linux kernel. Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. The highest threat from this vulnerability is to data confidentiality and integrity. (CVE-2021-0129)
A flaw was found in the Linux kernel's KVM implementation, where improper handing of the VM_IO|VM_PFNMAP VMAs in KVM bypasses RO checks and leads to pages being freed while still accessible by the VMM and guest. This flaw allows users who can start and control a VM to read/write random pages of memory, resulting in local privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, and system availability. (CVE-2021-22543)
A flaw was found in the Linux kernel's handling of the removal of Bluetooth HCI controllers. This flaw allows an attacker with a local account to exploit a race condition, leading to corrupted memory and possible privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-32399)
A use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (HCI) in Linux kernel, where a local attacker with an access rights could cause a denial of service problem on the system The issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in other places. The highest threat from this vulnerability is to data integrity, confidentiality and system availability. (CVE-2021-33034)
The canbus filesystem in the Linux kernel contains an information leak of kernel memory to devices on the CAN bus network link layer. An attacker with the ability to dump messages on the CAN bus is able to learn of uninitialized stack values by dumbing messages on the can bus. (CVE-2021-34693)
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel. A bounds check failure allows a local malicious user to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)
A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. (CVE-2021-3564)
A flaw use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-3573)
A flaw was found in the Linux kernels NFC implementation, A NULL pointer dereference and BUG leading to a denial of service can be triggered by a local unprivileged user causing a kernel panic. (CVE-2021-38208). ==========================================================================
Ubuntu Security Notice USN-4997-2
June 25, 2021
linux-kvm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
Summary:
Several security issues were fixed in the Linux kernel.
This update provides the corresponding updates for the Linux KVM
kernel for Ubuntu 21.04.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issue to inject
packets or expose sensitive information. A physically proximate attacker
could possibly use this issue to decrypt fragments. (CVE-2020-24587)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
incorrectly handled certain malformed frames. If a user were tricked into
connecting to a malicious server, a physically proximate attacker could use
this issue to inject packets. (CVE-2020-24588)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
incorrectly handled EAPOL frames from unauthenticated senders. A physically
proximate attacker could inject malicious packets to cause a denial of
service (system crash). (CVE-2020-26139)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly verify certain fragmented frames. A physically proximate
attacker could possibly use this issue to inject or decrypt packets. A physically proximate
attacker could use this issue to inject packets. (CVE-2020-26145)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation could
reassemble mixed encrypted and plaintext fragments. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-23133)
Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the
nfc implementation in the Linux kernel. (CVE-2021-23134)
Manfred Paul discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel contained an out-of-bounds
vulnerability. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-31440)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly prevent speculative loads in certain situations. A local
attacker could use this to expose sensitive information (kernel memory). An attacker could use this
issue to possibly execute arbitrary code. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2021-3506)
Mathias Krause discovered that a null pointer dereference existed in the
Nitro Enclaves kernel driver of the Linux kernel. (CVE-2021-3543)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
linux-image-5.11.0-1009-kvm 5.11.0-1009.9
linux-image-kvm 5.11.0.1009.9
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-4997-2
https://ubuntu.com/security/notices/USN-4997-1
CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139,
CVE-2020-26141, CVE-2020-26145, CVE-2020-26147, CVE-2021-23133,
CVE-2021-23134, CVE-2021-31440, CVE-2021-31829, CVE-2021-32399,
CVE-2021-33034, CVE-2021-33200, CVE-2021-3506, CVE-2021-3543,
CVE-2021-3609
Package Information:
https://launchpad.net/ubuntu/+source/linux-kvm/5.11.0-1009.9
. Bugs fixed (https://bugzilla.redhat.com/):
2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
5. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: kernel security, bug fix, and enhancement update
Advisory ID: RHSA-2021:4356-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4356
Issue date: 2021-11-09
CVE Names: CVE-2020-0427 CVE-2020-24502 CVE-2020-24503
CVE-2020-24504 CVE-2020-24586 CVE-2020-24587
CVE-2020-24588 CVE-2020-26139 CVE-2020-26140
CVE-2020-26141 CVE-2020-26143 CVE-2020-26144
CVE-2020-26145 CVE-2020-26146 CVE-2020-26147
CVE-2020-27777 CVE-2020-29368 CVE-2020-29660
CVE-2020-36158 CVE-2020-36386 CVE-2021-0129
CVE-2021-3348 CVE-2021-3489 CVE-2021-3564
CVE-2021-3573 CVE-2021-3600 CVE-2021-3635
CVE-2021-3659 CVE-2021-3679 CVE-2021-3732
CVE-2021-20194 CVE-2021-20239 CVE-2021-23133
CVE-2021-28950 CVE-2021-28971 CVE-2021-29155
CVE-2021-29646 CVE-2021-29650 CVE-2021-31440
CVE-2021-31829 CVE-2021-31916 CVE-2021-33200
====================================================================
1.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, x86_64
3.
Security Fix(es):
* kernel: out-of-bounds reads in pinctrl subsystem (CVE-2020-0427)
* kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter
drivers (CVE-2020-24502)
* kernel: Insufficient access control in some Intel(R) Ethernet E810
Adapter drivers (CVE-2020-24503)
* kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810
Adapter drivers (CVE-2020-24504)
* kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)
* kernel: Reassembling fragments encrypted under different keys
(CVE-2020-24587)
* kernel: wifi frame payload being parsed incorrectly as an L2 frame
(CVE-2020-24588)
* kernel: Forwarding EAPOL from unauthenticated wifi client
(CVE-2020-26139)
* kernel: accepting plaintext data frames in protected networks
(CVE-2020-26140)
* kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)
* kernel: accepting fragmented plaintext frames in protected networks
(CVE-2020-26143)
* kernel: accepting unencrypted A-MSDU frames that start with RFC1042
header (CVE-2020-26144)
* kernel: accepting plaintext broadcast fragments as full frames
(CVE-2020-26145)
* kernel: powerpc: RTAS calls can be used to compromise kernel integrity
(CVE-2020-27777)
* kernel: locking inconsistency in tty_io.c and tty_jobctrl.c can lead to a
read-after-free (CVE-2020-29660)
* kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function via a
long SSID value (CVE-2020-36158)
* kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt()
(CVE-2020-36386)
* kernel: Improper access control in BlueZ may allow information disclosure
vulnerability. (CVE-2021-0129)
* kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c
(CVE-2021-3348)
* kernel: Linux kernel eBPF RINGBUF map oversized allocation
(CVE-2021-3489)
* kernel: double free in bluetooth subsystem when the HCI device
initialization fails (CVE-2021-3564)
* kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)
* kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)
* kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)
* kernel: Mounting overlayfs inside an unprivileged user namespace can
reveal files (CVE-2021-3732)
* kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
(CVE-2021-20194)
* kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)
* kernel: fuse: stall on CPU can occur because a retry loop continually
finds the same bad inode (CVE-2021-28950)
* kernel: System crash in intel_pmu_drain_pebs_nhm in
arch/x86/events/intel/ds.c (CVE-2021-28971)
* kernel: protection can be bypassed to leak content of kernel memory
(CVE-2021-29155)
* kernel: improper input validation in tipc_nl_retrieve_key function in
net/tipc/node.c (CVE-2021-29646)
* kernel: lack a full memory barrier may lead to DoS (CVE-2021-29650)
* kernel: local escalation of privileges in handling of eBPF programs
(CVE-2021-31440)
* kernel: protection of stack pointer against speculative pointer
arithmetic can be bypassed to leak content of kernel memory
(CVE-2021-31829)
* kernel: out-of-bounds reads and writes due to enforcing incorrect limits
for pointer arithmetic operations by BPF verifier (CVE-2021-33200)
* kernel: reassembling encrypted fragments with non-consecutive packet
numbers (CVE-2020-26146)
* kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)
* kernel: the copy-on-write implementation can grant unintended write
access because of a race condition in a THP mapcount check (CVE-2020-29368)
* kernel: flowtable list del corruption with kernel BUG at
lib/list_debug.c:50 (CVE-2021-3635)
* kernel: NULL pointer dereference in llsec_key_alloc() in
net/mac802154/llsec.c (CVE-2021-3659)
* kernel: setsockopt System Call Untrusted Pointer Dereference Information
Disclosure (CVE-2021-20239)
* kernel: out of bounds array access in drivers/md/dm-ioctl.c
(CVE-2021-31916)
4. Solution:
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1509204 - dlm: Add ability to set SO_MARK on DLM sockets
1793880 - Unreliable RTC synchronization (11-minute mode)
1816493 - [RHEL 8.3] Discard request from mkfs.xfs takes too much time on raid10
1900844 - CVE-2020-27777 kernel: powerpc: RTAS calls can be used to compromise kernel integrity
1903244 - CVE-2020-29368 kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check
1906522 - CVE-2020-29660 kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free
1912683 - CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
1913348 - CVE-2020-36158 kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value
1915825 - Allow falling back to genfscon labeling when the FS doesn't support xattrs and there is a fs_use_xattr rule for it
1919893 - CVE-2020-0427 kernel: out-of-bounds reads in pinctrl subsystem.
1921958 - CVE-2021-3348 kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c
1923636 - CVE-2021-20239 kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure
1930376 - CVE-2020-24504 kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers
1930379 - CVE-2020-24502 kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers
1930381 - CVE-2020-24503 kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers
1933527 - Files on cifs mount can get mixed contents when underlying file is removed but inode number is reused, when mounted with 'serverino' and 'cache=strict '
1939341 - CNB: net: add inline function skb_csum_is_sctp
1941762 - CVE-2021-28950 kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode
1941784 - CVE-2021-28971 kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c
1945345 - CVE-2021-29646 kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c
1945388 - CVE-2021-29650 kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS
1946965 - CVE-2021-31916 kernel: out of bounds array access in drivers/md/dm-ioctl.c
1948772 - CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del
1951595 - CVE-2021-29155 kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory
1953847 - [ethtool] The `NLM_F_MULTI` should be used for `NLM_F_DUMP`
1954588 - RHEL kernel 8.2 and higher are affected by data corruption bug in raid1 arrays using bitmaps.
1957788 - CVE-2021-31829 kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory
1959559 - CVE-2021-3489 kernel: Linux kernel eBPF RINGBUF map oversized allocation
1959642 - CVE-2020-24586 kernel: Fragmentation cache not cleared on reconnection
1959654 - CVE-2020-24587 kernel: Reassembling fragments encrypted under different keys
1959657 - CVE-2020-24588 kernel: wifi frame payload being parsed incorrectly as an L2 frame
1959663 - CVE-2020-26139 kernel: Forwarding EAPOL from unauthenticated wifi client
1960490 - CVE-2020-26140 kernel: accepting plaintext data frames in protected networks
1960492 - CVE-2020-26141 kernel: not verifying TKIP MIC of fragmented frames
1960496 - CVE-2020-26143 kernel: accepting fragmented plaintext frames in protected networks
1960498 - CVE-2020-26144 kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header
1960500 - CVE-2020-26145 kernel: accepting plaintext broadcast fragments as full frames
1960502 - CVE-2020-26146 kernel: reassembling encrypted fragments with non-consecutive packet numbers
1960504 - CVE-2020-26147 kernel: reassembling mixed encrypted/plaintext fragments
1960708 - please add CAP_CHECKPOINT_RESTORE to capability.h
1964028 - CVE-2021-31440 kernel: local escalation of privileges in handling of eBPF programs
1964139 - CVE-2021-3564 kernel: double free in bluetooth subsystem when the HCI device initialization fails
1965038 - CVE-2021-0129 kernel: Improper access control in BlueZ may allow information disclosure vulnerability.
1965360 - kernel: get_timespec64 does not ignore padding in compat syscalls
1965458 - CVE-2021-33200 kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier
1966578 - CVE-2021-3573 kernel: use-after-free in function hci_sock_bound_ioctl()
1969489 - CVE-2020-36386 kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c
1971101 - ceph: potential data corruption in cephfs write_begin codepath
1972278 - libceph: allow addrvecs with a single NONE/blank address
1974627 - [TIPC] kernel BUG at lib/list_debug.c:31!
1975182 - CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer [rhel-8.5.0]
1975949 - CVE-2021-3659 kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c
1976679 - blk-mq: fix/improve io scheduler batching dispatch
1976699 - [SCTP]WARNING: CPU: 29 PID: 3165 at mm/page_alloc.c:4579 __alloc_pages_slowpath+0xb74/0xd00
1976946 - CVE-2021-3635 kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50
1976969 - XFS: followup to XFS sync to upstream v5.10 (re BZ1937116)
1977162 - [XDP] test program warning: libbpf: elf: skipping unrecognized data section(16) .eh_frame
1977422 - Missing backport of IMA boot aggregate calculation in rhel 8.4 kernel
1977537 - RHEL8.5: Update the kernel workqueue code to v5.12 level
1977850 - geneve virtual devices lack the NETIF_F_FRAGLIST feature
1978369 - dm writecache: sync with upstream 5.14
1979070 - Inaccessible NFS server overloads clients (native_queued_spin_lock_slowpath connotation?)
1979680 - Backport openvswitch tracepoints
1981954 - CVE-2021-3600 kernel: eBPF 32-bit source register truncation on div/mod
1986138 - Lockd invalid cast to nlm_lockowner
1989165 - CVE-2021-3679 kernel: DoS in rb_per_cpu_empty()
1989999 - ceph omnibus backport for RHEL-8.5.0
1991976 - block: fix New warning in nvme_setup_discard
1992700 - blk-mq: fix kernel panic when iterating over flush request
1995249 - CVE-2021-3732 kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files
1996854 - dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc()
6. Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
kernel-4.18.0-348.el8.src.rpm
aarch64:
bpftool-4.18.0-348.el8.aarch64.rpm
bpftool-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-4.18.0-348.el8.aarch64.rpm
kernel-core-4.18.0-348.el8.aarch64.rpm
kernel-cross-headers-4.18.0-348.el8.aarch64.rpm
kernel-debug-4.18.0-348.el8.aarch64.rpm
kernel-debug-core-4.18.0-348.el8.aarch64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debug-devel-4.18.0-348.el8.aarch64.rpm
kernel-debug-modules-4.18.0-348.el8.aarch64.rpm
kernel-debug-modules-extra-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-common-aarch64-4.18.0-348.el8.aarch64.rpm
kernel-devel-4.18.0-348.el8.aarch64.rpm
kernel-headers-4.18.0-348.el8.aarch64.rpm
kernel-modules-4.18.0-348.el8.aarch64.rpm
kernel-modules-extra-4.18.0-348.el8.aarch64.rpm
kernel-tools-4.18.0-348.el8.aarch64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-tools-libs-4.18.0-348.el8.aarch64.rpm
perf-4.18.0-348.el8.aarch64.rpm
perf-debuginfo-4.18.0-348.el8.aarch64.rpm
python3-perf-4.18.0-348.el8.aarch64.rpm
python3-perf-debuginfo-4.18.0-348.el8.aarch64.rpm
noarch:
kernel-abi-stablelists-4.18.0-348.el8.noarch.rpm
kernel-doc-4.18.0-348.el8.noarch.rpm
ppc64le:
bpftool-4.18.0-348.el8.ppc64le.rpm
bpftool-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-4.18.0-348.el8.ppc64le.rpm
kernel-core-4.18.0-348.el8.ppc64le.rpm
kernel-cross-headers-4.18.0-348.el8.ppc64le.rpm
kernel-debug-4.18.0-348.el8.ppc64le.rpm
kernel-debug-core-4.18.0-348.el8.ppc64le.rpm
kernel-debug-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debug-devel-4.18.0-348.el8.ppc64le.rpm
kernel-debug-modules-4.18.0-348.el8.ppc64le.rpm
kernel-debug-modules-extra-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-common-ppc64le-4.18.0-348.el8.ppc64le.rpm
kernel-devel-4.18.0-348.el8.ppc64le.rpm
kernel-headers-4.18.0-348.el8.ppc64le.rpm
kernel-modules-4.18.0-348.el8.ppc64le.rpm
kernel-modules-extra-4.18.0-348.el8.ppc64le.rpm
kernel-tools-4.18.0-348.el8.ppc64le.rpm
kernel-tools-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-tools-libs-4.18.0-348.el8.ppc64le.rpm
perf-4.18.0-348.el8.ppc64le.rpm
perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
python3-perf-4.18.0-348.el8.ppc64le.rpm
python3-perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
s390x:
bpftool-4.18.0-348.el8.s390x.rpm
bpftool-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-4.18.0-348.el8.s390x.rpm
kernel-core-4.18.0-348.el8.s390x.rpm
kernel-cross-headers-4.18.0-348.el8.s390x.rpm
kernel-debug-4.18.0-348.el8.s390x.rpm
kernel-debug-core-4.18.0-348.el8.s390x.rpm
kernel-debug-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-debug-devel-4.18.0-348.el8.s390x.rpm
kernel-debug-modules-4.18.0-348.el8.s390x.rpm
kernel-debug-modules-extra-4.18.0-348.el8.s390x.rpm
kernel-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-debuginfo-common-s390x-4.18.0-348.el8.s390x.rpm
kernel-devel-4.18.0-348.el8.s390x.rpm
kernel-headers-4.18.0-348.el8.s390x.rpm
kernel-modules-4.18.0-348.el8.s390x.rpm
kernel-modules-extra-4.18.0-348.el8.s390x.rpm
kernel-tools-4.18.0-348.el8.s390x.rpm
kernel-tools-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-core-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-devel-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-modules-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-modules-extra-4.18.0-348.el8.s390x.rpm
perf-4.18.0-348.el8.s390x.rpm
perf-debuginfo-4.18.0-348.el8.s390x.rpm
python3-perf-4.18.0-348.el8.s390x.rpm
python3-perf-debuginfo-4.18.0-348.el8.s390x.rpm
x86_64:
bpftool-4.18.0-348.el8.x86_64.rpm
bpftool-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-4.18.0-348.el8.x86_64.rpm
kernel-core-4.18.0-348.el8.x86_64.rpm
kernel-cross-headers-4.18.0-348.el8.x86_64.rpm
kernel-debug-4.18.0-348.el8.x86_64.rpm
kernel-debug-core-4.18.0-348.el8.x86_64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debug-devel-4.18.0-348.el8.x86_64.rpm
kernel-debug-modules-4.18.0-348.el8.x86_64.rpm
kernel-debug-modules-extra-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-common-x86_64-4.18.0-348.el8.x86_64.rpm
kernel-devel-4.18.0-348.el8.x86_64.rpm
kernel-headers-4.18.0-348.el8.x86_64.rpm
kernel-modules-4.18.0-348.el8.x86_64.rpm
kernel-modules-extra-4.18.0-348.el8.x86_64.rpm
kernel-tools-4.18.0-348.el8.x86_64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-tools-libs-4.18.0-348.el8.x86_64.rpm
perf-4.18.0-348.el8.x86_64.rpm
perf-debuginfo-4.18.0-348.el8.x86_64.rpm
python3-perf-4.18.0-348.el8.x86_64.rpm
python3-perf-debuginfo-4.18.0-348.el8.x86_64.rpm
Red Hat Enterprise Linux CRB (v. 8):
aarch64:
bpftool-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-common-aarch64-4.18.0-348.el8.aarch64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-tools-libs-devel-4.18.0-348.el8.aarch64.rpm
perf-debuginfo-4.18.0-348.el8.aarch64.rpm
python3-perf-debuginfo-4.18.0-348.el8.aarch64.rpm
ppc64le:
bpftool-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debug-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-common-ppc64le-4.18.0-348.el8.ppc64le.rpm
kernel-tools-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-tools-libs-devel-4.18.0-348.el8.ppc64le.rpm
perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
python3-perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
x86_64:
bpftool-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-common-x86_64-4.18.0-348.el8.x86_64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-tools-libs-devel-4.18.0-348.el8.x86_64.rpm
perf-debuginfo-4.18.0-348.el8.x86_64.rpm
python3-perf-debuginfo-4.18.0-348.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYYrdRdzjgjWX9erEAQhs0w//as9X4T+FCf3TAbcNIStxlOK6fbJoAlST
FrgNJnRH3RmT+VxRSLWZcsJQf78kudeJWtMezbGSVREfhCMBCGhKZ7mvVp5P7J8l
bobmdaap3hqkPqq66VuKxGuS+6j0rXXgGQH034yzoX+L/lx6KV9qdAnZZO+7kWcy
SfX0GkLg0ARDMfsoUKwVmeUeNLhPlJ4ZH2rBdZ4FhjyEAG/5yL9JwU/VNReWHjhW
HgarTuSnFR3vLQDKyjMIEEiBPOI162hS2j3Ba/A/1hJ70HOjloJnd0eWYGxSuIfC
DRrzlacFNAzBPZsbRFi1plXrHh5LtNoBBWjl+xyb6jRsB8eXgS+WhzUhOXGUv01E
lJTwFy5Kz71d+cAhRXgmz5gVgWuoNJw8AEImefWcy4n0EEK55vdFe0Sl7BfZiwpD
Jhx97He6OurNnLrYyJJ0+TsU1L33794Ag2AJZnN1PLFUyrKKNlD1ZWtdsJg99klK
dQteUTnnUhgDG5Tqulf0wX19BEkLd/O6CRyGueJcV4h4PFpSoWOh5Yy/BlokFzc8
zf14PjuVueIodaIUXtK+70Zmw7tg09Dx5Asyfuk5hWFPYv856nHlDn7PT724CU8v
1cp96h1IjLR6cF17NO2JCcbU0XZEW+aCkGkPcsY8DhBmaZqxUxXObvTD80Mm7EvN
+PuV5cms0sE=2UUA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
. Solution:
For OpenShift Container Platform 4.9 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this errata update:
https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html
For Red Hat OpenShift Logging 5.3, see the following instructions to apply
this update:
https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment
5. JIRA issues fixed (https://issues.jboss.org/):
LOG-1168 - Disable hostname verification in syslog TLS settings
LOG-1235 - Using HTTPS without a secret does not translate into the correct 'scheme' value in Fluentd
LOG-1375 - ssl_ca_cert should be optional
LOG-1378 - CLO should support sasl_plaintext(Password over http)
LOG-1392 - In fluentd config, flush_interval can't be set with flush_mode=immediate
LOG-1494 - Syslog output is serializing json incorrectly
LOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server
LOG-1575 - Rejected by Elasticsearch and unexpected json-parsing
LOG-1735 - Regression introducing flush_at_shutdown
LOG-1774 - The collector logs should be excluded in fluent.conf
LOG-1776 - fluentd total_limit_size sets value beyond available space
LOG-1822 - OpenShift Alerting Rules Style-Guide Compliance
LOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled
LOG-1862 - Unsupported kafka parameters when enabled Kafka SASL
LOG-1903 - Fix the Display of ClusterLogging type in OLM
LOG-1911 - CLF API changes to Opt-in to multiline error detection
LOG-1918 - Alert `FluentdNodeDown` always firing
LOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding
6 |
|
var-200704-0221
|
The WebFoundation framework in Apple Mac OS X 10.3.9 and earlier allows subdomain cookies to be accessed by the parent domain, which allows remote attackers to obtain sensitive information. A vulnerability exists in the Kerberos administration daemon that may allow a remote, unauthenticated user to free uninitialized pointers. Freeing uninitialized pointers corrupts memory in a way that could allow an attacker to execute code. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AirPortDriver module, CoreServices, Libinfo, Login Window, Natd, SMB, System Configuration, URLMount, VideoConference framework, WebDAV, and WebFoundation.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, overwrite files, and access potentially sensitive information. Both local and remote vulnerabilities are present.
Apple Mac OS X 10.4.9 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Fedora Core 6 update for krb5
SECUNIA ADVISORY ID:
SA23706
VERIFY ADVISORY:
http://secunia.com/advisories/23706/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Fedora Core 6
http://secunia.com/product/12487/
DESCRIPTION:
Fedora has issued an update for krb5. This fixes some
vulnerabilities, which can be exploited by malicious people to cause
a DoS (Denial of Service) or potentially compromise a vulnerable
system.
For more information:
SA23690
SA23696
SOLUTION:
Apply updated packages.
Fedora Core 6:
43b1b9c946f30629489b903961472d9b0cdf1cd8 SRPMS/krb5-1.5-13.src.rpm
43b1b9c946f30629489b903961472d9b0cdf1cd8 noarch/krb5-1.5-13.src.rpm
42b9b525ea97d128ed22c6feb7b48cc377ca46ad
ppc/debug/krb5-debuginfo-1.5-13.ppc.rpm
51c9dfac74d9026509906e953cf92ac50e1a13c4
ppc/krb5-workstation-1.5-13.ppc.rpm
39a5ed204a75766df9daf51a66971f51700d563c
ppc/krb5-server-1.5-13.ppc.rpm
bce7df56293ae51d79ce1e054b3056d24a1ae8d5
ppc/krb5-devel-1.5-13.ppc.rpm
9097a6f8fdda32e8b976b0beb2b03ba66172327e
ppc/krb5-libs-1.5-13.ppc.rpm
51c1f15fca97f267cabd1d1a9851a349fc5a3648
x86_64/krb5-workstation-1.5-13.x86_64.rpm
7cc0d54545539827434c7975697c9c13ae9e4797
x86_64/debug/krb5-debuginfo-1.5-13.x86_64.rpm
71fcdc5dadb273576ad9e530fbb15764650cb84b
x86_64/krb5-devel-1.5-13.x86_64.rpm
bbe8f1b3e7c6077526f760b361ad6ca5d4039276
x86_64/krb5-libs-1.5-13.x86_64.rpm
e38c1dccd2310d3bab9d204226988aee627cfe0d
x86_64/krb5-server-1.5-13.x86_64.rpm
02ddf8b25bea088b4de3cc8c27fcf3eb2967efa6
i386/debug/krb5-debuginfo-1.5-13.i386.rpm
d6470636e983d8559d4378f819fba80b467af0a5
i386/krb5-libs-1.5-13.i386.rpm
278c19ec68ed47d35c5c2370df5c48807dba1224
i386/krb5-workstation-1.5-13.i386.rpm
aa72a083b60ddfb3dbc0761f13ea7147e09995f1
i386/krb5-server-1.5-13.i386.rpm
9cfd3d1d48deb0e7f83a0a13a5ddf2383386b400
i386/krb5-devel-1.5-13.i386.rpm
ORIGINAL ADVISORY:
http://fedoranews.org/cms/node/2375
OTHER REFERENCES:
SA23690:
http://secunia.com/advisories/23690/
SA23696:
http://secunia.com/advisories/23696/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
|
|
var-200511-0018
|
The Internet Key Exchange version 1 (IKEv1) implementation in Stonesoft StoneGate Firewall before 2.6.1 allows remote attackers to cause a denial of service via certain crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. NOTE: due to the lack of details in the Stonesoft advisory, it is unclear which of CVE-2005-3666, CVE-2005-3667, and/or CVE-2005-3668 this issue applies to. Numerous vulnerabilities have been reported in various Internet Key Exchange version 1 (IKEv1) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner. Stonesoft StoneGate Firewall and VPN Client are prone to multiple unspecified vulnerabilities in its IKEv1 implementation. Potential issues include denial of service attacks, format strings, and buffer overflows.
These issues were discovered with the PROTOS ISAKMP Test Suite and are related to handling of malformed IKEv1 traffic. Stonesoft StoneGate Firewall is a firewall.
TITLE:
Symantec Firewall/VPN/Gateway ISAKMP Message Processing Denial of
Service
SECUNIA ADVISORY ID:
SA17684
VERIFY ADVISORY:
http://secunia.com/advisories/17684/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
Symantec Gateway Security 400 Series
http://secunia.com/product/6175/
Symantec Gateway Security 300 Series
http://secunia.com/product/6176/
Symantec Gateway Security 3.x
http://secunia.com/product/6177/
Symantec Gateway Security 2.x
http://secunia.com/product/3104/
Symantec Gateway Security 1.x
http://secunia.com/product/876/
Symantec Firewall/VPN Appliance 100/200/200R
http://secunia.com/product/552/
SOFTWARE:
Symantec Enterprise Firewall (SEF) 8.x
http://secunia.com/product/3587/
DESCRIPTION:
Symantec has acknowledged a vulnerability in various Symantec
products, which can be exploited by malicious people to cause a DoS
(Denial of Service).
For more information:
SA17553
Successful exploitation causes a DoS of the dynamic VPN services.
The vulnerability has been reported in the following products.
* Symantec Enterprise Firewall version 8.0 (Windows)
* Symantec Enterprise Firewall version 8.0 (Solaris)
* Symantec Gateway Security 5000 Series version 3.0
* Symantec Gateway Security 5400 version 2.0.1
* Symantec Gateway Security 5310 version 1.0
* Symantec Gateway Security 5200/5300 version 1.0
* Symantec Gateway Security 5100
* Symantec Gateway Security 400 version 2.0
* Symantec Gateway Security 300 version 2.0
* Symantec Firewall /VPN Appliance 200/200R
* Symantec Firewall /VPN Appliance 100
SOLUTION:
Apply hotfixes.
Symantec Enterprise Firewall version 8.0 (Windows):
Apply SEF8.0-20051114-00.
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8/files.html
Symantec Enterprise Firewall version 8.0 (Solaris):
Apply SEF8.0-20051114-00.
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8_sol/files.html
Symantec Gateway Security 5000 Series version 3.0:
Apply SGS3.0-2005114-02.
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_5600_3/files.html
Symantec Gateway Security 5400 version 2.0.1:
Apply SGS2.0.1-20051114-00.
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_201_5400/files.html
Symantec Gateway Security 5310 version 1.0:
Apply SG7004-20051114-00.
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_5310/files.html
Symantec Gateway Security 5200/5300 version 1.0:
Apply SG7004-20051114-00.
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_52005300/files.html
Symantec Gateway Security 5100:
Apply SG7004-20051114-00.
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_5110/files.html
Symantec Gateway Security 400 version 2.0:
Update to build 1103.
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_2_400/files.html
Symantec Gateway Security 300 version 2.0:
Update to build 1103.
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_300s_2/files.html
Symantec Firewall /VPN Appliance 200/200R:
Update to build 1.8F.
http://www.symantec.com/techsupp/enterprise/products/sym_fw_vpn_appliance/sym_fw_vpn_appliance_200r/files.html
Symantec Firewall /VPN Appliance 100:
Update to build 1.8F.
http://www.symantec.com/techsupp/enterprise/products/sym_fw_vpn_appliance/sym_fw_vpn_appliance_100/files.html
ORIGINAL ADVISORY:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2005.11.21.html
OTHER REFERENCES:
SA17553:
http://secunia.com/advisories/17553/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
|
|
var-200703-0028
|
Server Manager (servermgrd) in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 does not sufficiently validate authentication credentials, which allows remote attackers to bypass authentication and modify system configuration. A vulnerabilty in the Apple Mac OS X DirectoryService may allow unprivileged users to change the root password. Apple ColorSync contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code. Mac OS X is prone to multiple vulnerabilities including stack-based buffer-overflow issues, denial-of-service vulnerabilities, two memory-corruption issues, an integer-overflow issue, two authentication-bypass issues, an information-disclosure vulnerability, and an insecure command-execution issue.
An attacker can exploit these issues to execute arbitrary code in the context of the user running the application, cause denial-of-service conditions, compromise the application, and access or modify data.
Few details regarding these issues are currently available. Separate BIDs for each issue will be created as new information becomes available.
Mac OS X and Mac OS X Server versions 10.3.9 and 10.4 through 10.4.8 are vulnerable.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
|
|
var-200503-0071
|
The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code by using the reflection API to access private Java packages. There is a vulnerability in the Sun Java Plug-in that could allow a malicious Java applet to bypass restrictions for untrusted applets. Multiple vulnerabilities exist in numerous Oracle products. The impacts of these vulnerabilities are varied and may include remote execution of arbitrary code, the disclosure of sensitive information, and denial-of-service conditions. various Oracle Multiple vulnerabilities exist in the product and its components.Although it depends on the target product, a third party can execute any command or code remotely, leak information in the database, disrupt service operation ( Denial-of-Service,DoS ) Attacks could be made. Reports indicate that it is possible for a malicious website that contains JavaScript code to exploit this vulnerability to load a dangerous Java class and to pass this class to an invoked applet. If a vulnerable version is still installed on the computer, it may be possible for to specify that this version runs the applet instead of an updated version that is not prone to the vulnerability. Users affected by this vulnerability should remove earlier versions of the plug-in. This functionality could also be abused to prompt users to install vulnerable versions of the plug-in, so users should be wary of doing so. This general security weakness has been assigned an individual BID (11757). Various Oracle Database Server, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite and Applications, Oracle Workflow, Oracle Forms and Reports, Oracle JInitiator, Oracle Developer Suite, and Oracle Express Server are affected by multiple vulnerabilities.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats.
Oracle has released a Critical Patch Update advisory for July 2005 to address these vulnerabilities. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier, unsupported releases are likely to be affected by the issues as well. The issue is that documents may be served with weaker SSL encryption than configured in Oracle HTTP Server.
This could result in a false sense of security. Oracle has not released any further information about this weakness.
The first issue can allow an untrusted applet to escalate its privileges to access resources with the privilege level of the user running the applet.
This issue occurs only in Internet Explorer running on Windows.
The second issue allows an untrusted applet to interfere with another applet embedded in the same web page.
This issue occurs in Java running on Windows, Solaris, and Linux. A remote attacker can use this vulnerability to bypass the Java\'\'sandbox\'\' and all restrictions to access restricted resources and systems. BACKGROUND
Java Plug-in technology, included as part of the Java 2 Runtime
Environment, Standard Edition (JRE), establishes a connection between
popular browsers and the Java platform. This connection enables
applets
on Web sites to be run within a browser on the desktop.
II.
A number of private Java packages exist within the Java Virtual
Machine
(VM) and are used internally by the VM. Security restrictions prevent
Applets from accessing these packages. Any attempt to access these
packages, results in a thrown exception of 'AccessControlException',
unless the Applet is signed and the user has chosen to trust the
issuer.
III. ANALYSIS
Successful exploitation allows remote attackers to execute hostile
Applets that can access, download, upload or execute arbitrary files
as
well as access the network. A target user must be running a browser on
top of a vulnerable Java Virtual Machine to be affected. It is
possible
for an attacker to create a cross-platform, cross-browser exploit for
this vulnerability. Once compromised, an attacker can execute
arbitrary
code under the privileges of the user who instantiated the vulnerable
browser.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in Java 2
Platform, Standard Edition (J2SE) 1.4.2_01 and 1.4.2_04 from Sun
Microsystems. Various browsers such as Internet Explorer, Mozilla and Firefox
on
both Windows and Unix platforms can be exploited if they are running a
vulnerable Java Virtual Machine.
V.
Other Java Virtual Machines, such as the Microsoft VM, are available
and
can be used as an alternative.
VI. VENDOR RESPONSE
This issue has been fixed in J2SE v 1.4.2_06 available at:
[15]http://java.sun.com/j2se/1.4.2/download.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned
the
name CAN-2004-1029 to this issue. This is a candidate for inclusion in
the CVE list ([16]http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/29/2004 Initial vendor notification
06/30/2004 Initial vendor response
08/16/2004 iDEFENSE clients notified
11/22/2004 Public disclosure
IX. CREDIT
Jouko Pynnonen (jouko[at]iki.fi) is credited with this discovery.
Get paid for vulnerability research
[17]http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright \xa9 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please
email [18]customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use
of the information constitutes acceptance for use in an AS IS
condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect,
or consequential loss or damage arising from use of, or reliance on,
this information |
|
var-200609-0312
|
Buffer overflow in Apple QuickTime before 7.1.3 allows user-assisted remote attackers to execute arbitrary code via a crafted SGI image. Apple QuickTime fails to properly handle SGI images. Successful exploits may facilitate a remote compromise of affected computers. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats.
McAfee, Inc. QuickTime is used by the Mac OS X operating system and
by the QuickTime media player for Microsoft Windows.
Seven code execution vulnerabilities are present in QuickTime support
for various multimedia formats including: MOV, H.264, FLC, FPX and SGI.
Exploitation could lead to execution of arbitrary code. User interaction
is required for an attack to succeed.
The risk rating for these issues is medium.
_________________________________________________
* Vulnerable Systems
QuickTime 7.1.2 and below for Mac OS X
QuickTime for Windows 7.1.2 and below
_________________________________________________
* Vulnerability Information
CVE-2006-4382
Two buffer overflow vulnerabilities are present in QuickTime MOV format
support.
CVE-2006-4384
On heap overflow vulnerability is present in QuickTime FLC format
support.
CVE-2006-4386
One buffer overflow vulnerability is present in QuickTime MOV H.264
format support.
CVE-2006-4388
One buffer overflow vulnerability is present in QuickTime FlashPix (FPX)
format support.
CVE-2006-4389
One uninitialized memory access vulnerability is present in QuickTime
FlashPix (FPX) format support.
_________________________________________________
* Resolution
Apple has included fixes for the QuickTime issues in QuickTime version
7.1.3 for Mac OS X and for Microsoft Windows.
Further information is available at:
http://docs.info.apple.com/article.html?artnum=304357
_________________________________________________
* Credits
These vulnerabilities were discovered by Mike Price of McAfee Avert
Labs.
_________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the
convenience of McAfee's customers, and may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way. McAfee makes no representations or warranties
regarding the accuracy of the information referenced in this document,
or the suitability of that information for your purposes.
McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee,
Inc. and/or its affiliated companies in the United States and/or other
Countries. All other registered and unregistered trademarks in this
document are the sole property of their respective owners.
Best regards,
Dave Marcus, B.A., CCNA, MCSE
Security Research and Communications Manager
McAfee(r) Avert(r) Labs
.
I. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. For further information, please see
the Vulnerability Notes.
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.1.3.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document. Please send
email to <cert@cert.org> with "TA06-256A Feedback VU#540348" in the
subject.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 13, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRQg23exOF3G+ig+rAQK7LggAt0RUIz3jewgQYrRYp9bMDBkS61Bvh2OO
8Gp2H472UXA0ucElK/1hAXtPXU2Pmf/EjrCqSImO+srV4i0x5QIFJDo41HtbDo9s
FzQC/rmJ3YWl15L+uIjG0S1wxWwH5GyzQj4xaZCMdNLYEN7LVe31ETDsXJ3kEMMa
m19M4GLOXAFfmjyGgky4Nux0RJU1UE/0w9pZESOXg+7WXFY8skOZ8YfqBvunjqtE
pZa3LWoOcDtP/ORoEn7GY83v/uQqkX8uoAxwe9nuGXbyssvj7BQxDPvnwSWrXzUG
R59/r1NA4i/EtYNV1ONW2Pntqc5/vv0OGcs1JFM9tazV3aRbgHfCVg==
=nQVd
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200803-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Win32 binary codecs: Multiple vulnerabilities
Date: March 04, 2008
Bugs: #150288
ID: 200803-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in the Win32 codecs for Linux may result in
the remote execution of arbitrary code.
Background
==========
Win32 binary codecs provide support for video and audio playback.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Win32 binary codecs users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=media-libs/win32codecs-20071007-r2"
Note: Since no updated binary versions have been released, the
Quicktime libraries have been removed from the package. Please use the
free alternative Quicktime implementations within VLC, MPlayer or Xine
for playback.
References
==========
[ 1 ] CVE-2006-4382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4382
[ 2 ] CVE-2006-4384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4384
[ 3 ] CVE-2006-4385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4385
[ 4 ] CVE-2006-4386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4386
[ 5 ] CVE-2006-4388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4388
[ 6 ] CVE-2006-4389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4389
[ 7 ] CVE-2007-4674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4674
[ 8 ] CVE-2007-6166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6166
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200803-08.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
var-201912-0582
|
A logic issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to universal cross site scripting. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Arbitrary code execution * Insufficient access restrictions * information leak * Service operation interruption (DoS) * Information falsification * Privilege escalation * Sandbox avoidance. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the operationPutByValOptimize function. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A buffer error vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple iOS prior to 12.4; Windows-based iTunes prior to 12.9.6; tvOS prior to 12.4; Safari prior to 12.1.2; macOS Mojave prior to 10.14.6; Windows-based iCloud 10.6 Previous versions, versions before 7.13; versions before watchOS 5.3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201909-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WebkitGTK+: Multiple vulnerabilities
Date: September 06, 2019
Bugs: #683234, #686216, #693122
ID: 201909-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in WebkitGTK+, the worst of
which could result in the arbitrary execution of code.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from
hybrid HTML/CSS applications to full-fledged web browsers.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.24.4 >= 2.24.4
Description
===========
Multiple vulnerabilities have been discovered in WebkitGTK+. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebkitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.24.4"
References
==========
[ 1 ] CVE-2019-11070
https://nvd.nist.gov/vuln/detail/CVE-2019-11070
[ 2 ] CVE-2019-6201
https://nvd.nist.gov/vuln/detail/CVE-2019-6201
[ 3 ] CVE-2019-6251
https://nvd.nist.gov/vuln/detail/CVE-2019-6251
[ 4 ] CVE-2019-7285
https://nvd.nist.gov/vuln/detail/CVE-2019-7285
[ 5 ] CVE-2019-7292
https://nvd.nist.gov/vuln/detail/CVE-2019-7292
[ 6 ] CVE-2019-8503
https://nvd.nist.gov/vuln/detail/CVE-2019-8503
[ 7 ] CVE-2019-8506
https://nvd.nist.gov/vuln/detail/CVE-2019-8506
[ 8 ] CVE-2019-8515
https://nvd.nist.gov/vuln/detail/CVE-2019-8515
[ 9 ] CVE-2019-8518
https://nvd.nist.gov/vuln/detail/CVE-2019-8518
[ 10 ] CVE-2019-8523
https://nvd.nist.gov/vuln/detail/CVE-2019-8523
[ 11 ] CVE-2019-8524
https://nvd.nist.gov/vuln/detail/CVE-2019-8524
[ 12 ] CVE-2019-8535
https://nvd.nist.gov/vuln/detail/CVE-2019-8535
[ 13 ] CVE-2019-8536
https://nvd.nist.gov/vuln/detail/CVE-2019-8536
[ 14 ] CVE-2019-8544
https://nvd.nist.gov/vuln/detail/CVE-2019-8544
[ 15 ] CVE-2019-8551
https://nvd.nist.gov/vuln/detail/CVE-2019-8551
[ 16 ] CVE-2019-8558
https://nvd.nist.gov/vuln/detail/CVE-2019-8558
[ 17 ] CVE-2019-8559
https://nvd.nist.gov/vuln/detail/CVE-2019-8559
[ 18 ] CVE-2019-8563
https://nvd.nist.gov/vuln/detail/CVE-2019-8563
[ 19 ] CVE-2019-8595
https://nvd.nist.gov/vuln/detail/CVE-2019-8595
[ 20 ] CVE-2019-8607
https://nvd.nist.gov/vuln/detail/CVE-2019-8607
[ 21 ] CVE-2019-8615
https://nvd.nist.gov/vuln/detail/CVE-2019-8615
[ 22 ] CVE-2019-8644
https://nvd.nist.gov/vuln/detail/CVE-2019-8644
[ 23 ] CVE-2019-8644
https://nvd.nist.gov/vuln/detail/CVE-2019-8644
[ 24 ] CVE-2019-8649
https://nvd.nist.gov/vuln/detail/CVE-2019-8649
[ 25 ] CVE-2019-8649
https://nvd.nist.gov/vuln/detail/CVE-2019-8649
[ 26 ] CVE-2019-8658
https://nvd.nist.gov/vuln/detail/CVE-2019-8658
[ 27 ] CVE-2019-8658
https://nvd.nist.gov/vuln/detail/CVE-2019-8658
[ 28 ] CVE-2019-8666
https://nvd.nist.gov/vuln/detail/CVE-2019-8666
[ 29 ] CVE-2019-8666
https://nvd.nist.gov/vuln/detail/CVE-2019-8666
[ 30 ] CVE-2019-8669
https://nvd.nist.gov/vuln/detail/CVE-2019-8669
[ 31 ] CVE-2019-8669
https://nvd.nist.gov/vuln/detail/CVE-2019-8669
[ 32 ] CVE-2019-8671
https://nvd.nist.gov/vuln/detail/CVE-2019-8671
[ 33 ] CVE-2019-8671
https://nvd.nist.gov/vuln/detail/CVE-2019-8671
[ 34 ] CVE-2019-8672
https://nvd.nist.gov/vuln/detail/CVE-2019-8672
[ 35 ] CVE-2019-8672
https://nvd.nist.gov/vuln/detail/CVE-2019-8672
[ 36 ] CVE-2019-8673
https://nvd.nist.gov/vuln/detail/CVE-2019-8673
[ 37 ] CVE-2019-8673
https://nvd.nist.gov/vuln/detail/CVE-2019-8673
[ 38 ] CVE-2019-8676
https://nvd.nist.gov/vuln/detail/CVE-2019-8676
[ 39 ] CVE-2019-8676
https://nvd.nist.gov/vuln/detail/CVE-2019-8676
[ 40 ] CVE-2019-8677
https://nvd.nist.gov/vuln/detail/CVE-2019-8677
[ 41 ] CVE-2019-8677
https://nvd.nist.gov/vuln/detail/CVE-2019-8677
[ 42 ] CVE-2019-8678
https://nvd.nist.gov/vuln/detail/CVE-2019-8678
[ 43 ] CVE-2019-8678
https://nvd.nist.gov/vuln/detail/CVE-2019-8678
[ 44 ] CVE-2019-8679
https://nvd.nist.gov/vuln/detail/CVE-2019-8679
[ 45 ] CVE-2019-8679
https://nvd.nist.gov/vuln/detail/CVE-2019-8679
[ 46 ] CVE-2019-8680
https://nvd.nist.gov/vuln/detail/CVE-2019-8680
[ 47 ] CVE-2019-8680
https://nvd.nist.gov/vuln/detail/CVE-2019-8680
[ 48 ] CVE-2019-8681
https://nvd.nist.gov/vuln/detail/CVE-2019-8681
[ 49 ] CVE-2019-8681
https://nvd.nist.gov/vuln/detail/CVE-2019-8681
[ 50 ] CVE-2019-8683
https://nvd.nist.gov/vuln/detail/CVE-2019-8683
[ 51 ] CVE-2019-8683
https://nvd.nist.gov/vuln/detail/CVE-2019-8683
[ 52 ] CVE-2019-8684
https://nvd.nist.gov/vuln/detail/CVE-2019-8684
[ 53 ] CVE-2019-8684
https://nvd.nist.gov/vuln/detail/CVE-2019-8684
[ 54 ] CVE-2019-8686
https://nvd.nist.gov/vuln/detail/CVE-2019-8686
[ 55 ] CVE-2019-8686
https://nvd.nist.gov/vuln/detail/CVE-2019-8686
[ 56 ] CVE-2019-8687
https://nvd.nist.gov/vuln/detail/CVE-2019-8687
[ 57 ] CVE-2019-8687
https://nvd.nist.gov/vuln/detail/CVE-2019-8687
[ 58 ] CVE-2019-8688
https://nvd.nist.gov/vuln/detail/CVE-2019-8688
[ 59 ] CVE-2019-8688
https://nvd.nist.gov/vuln/detail/CVE-2019-8688
[ 60 ] CVE-2019-8689
https://nvd.nist.gov/vuln/detail/CVE-2019-8689
[ 61 ] CVE-2019-8689
https://nvd.nist.gov/vuln/detail/CVE-2019-8689
[ 62 ] CVE-2019-8690
https://nvd.nist.gov/vuln/detail/CVE-2019-8690
[ 63 ] CVE-2019-8690
https://nvd.nist.gov/vuln/detail/CVE-2019-8690
[ 64 ] WSA-2019-0002
https://webkitgtk.org/security/WSA-2019-0002.html
[ 65 ] WSA-2019-0004
https://webkitgtk.org/security/WSA-2019-0004.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201909-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
.
CVE-2019-8649: Sergei Glazunov of Google Project Zero
Installation note:
Safari 12.1.2 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4515-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
September 04, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : webkit2gtk
CVE ID : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8666
CVE-2019-8669 CVE-2019-8671 CVE-2019-8672 CVE-2019-8673
CVE-2019-8676 CVE-2019-8677 CVE-2019-8678 CVE-2019-8679
CVE-2019-8680 CVE-2019-8681 CVE-2019-8683 CVE-2019-8684
CVE-2019-8686 CVE-2019-8687 CVE-2019-8688 CVE-2019-8689
CVE-2019-8690
Several vulnerabilities have been discovered in the webkit2gtk web
engine:
CVE-2019-8644
G. Geshev discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8666
Zongming Wang and Zhe Jin discovered memory corruption issues that
can lead to arbitrary code execution.
CVE-2019-8669
akayn discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8672
Samuel Gross discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8673
Soyeon Park and Wen Xu discovered memory corruption issues that
can lead to arbitrary code execution.
CVE-2019-8676
Soyeon Park and Wen Xu discovered memory corruption issues that
can lead to arbitrary code execution.
CVE-2019-8677
Jihui Lu discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8679
Jihui Lu discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8680
Jihui Lu discovered memory corruption issues that can lead to
arbitrary code execution. Geshev discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8683
lokihardt discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8684
lokihardt discovered memory corruption issues that can lead to
arbitrary code execution. Geshev discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8688
Insu Yun discovered memory corruption issues that can lead to
arbitrary code execution.
CVE-2019-8689
lokihardt discovered memory corruption issues that can lead to
arbitrary code execution.
You can see more details on the WebKitGTK and WPE WebKit Security
Advisory WSA-2019-0004.
For the stable distribution (buster), these problems have been fixed in
version 2.24.4-1~deb10u1.
We recommend that you upgrade your webkit2gtk packages.
Alternatively, on your watch, select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-7-22-1 iOS 12.4
iOS 12.4 is now available and addresses the following:
Core Data
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero
Core Data
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8647: Samuel Groß and Natalie Silvanovich of Google Project
Zero
Core Data
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8660: Samuel Groß and Natalie Silvanovich of Google Project
Zero
FaceTime
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu
Found in Apps
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to leak memory
Description: This issue was addressed with improved checks.
CVE-2019-8663: Natalie Silvanovich of Google Project Zero
Foundation
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project
Zero
Heimdal
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: An issue existed in Samba that may allow attackers to perform
unauthorized actions by intercepting communications between services
Description: This issue was addressed with improved checks to prevent
unauthorized actions.
CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team
and Catalyst
libxslt
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input
validation.
CVE-2019-13118: found by OSS-Fuzz
Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may cause an unexpected application
termination
Description: A denial of service issue was addressed with improved
validation.
CVE-2019-8665: Michael Hernandez of XYZ Marketing
Profiles
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A malicious application may be able to restrict access to
websites
Description: A validation issue existed in the entitlement
verification.
CVE-2019-8698: Luke Deshotels, Jordan Beichler, and William Enck of
North Carolina State University; Costin Carabaș and Răzvan
Deaconescu of University POLITEHNICA of Bucharest
Quick Look
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: An attacker may be able to trigger a use-after-free in an
application deserializing an untrusted NSDictionary
Description: This issue was addressed with improved checks.
CVE-2019-8662: Natalie Silvanovich and Samuel Groß of Google Project
Zero
Siri
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero
Telephony
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: The initiator of a phone call may be able to cause the
recipient to answer a simultaneous Walkie-Talkie connection
Description: A logic issue existed in the answering of phone calls.
CVE-2019-8699: Marius Alexandru Boeru (@mboeru) and an anonymous
researcher
UIFoundation
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: Parsing a maliciously crafted office document may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero
Day Initiative
Wallet
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A user may inadvertently complete an in-app purchase while on
the lock screen
Description: The issue was addressed with improved UI handling.
CVE-2019-8690: Sergei Glazunov of Google Project Zero
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of synchronous
page loads.
CVE-2019-8649: Sergei Glazunov of Google Project Zero
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from
Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative
CVE-2019-8671: Samuel Groß of Google Project Zero
CVE-2019-8672: Samuel Groß of Google Project Zero
CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8677: Jihui Lu of Tencent KeenLab
CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014)
of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin
(@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser
Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser
Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser
Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX
Browser Exploitation
CVE-2019-8679: Jihui Lu of Tencent KeenLab
CVE-2019-8680: Jihui Lu of Tencent KeenLab
CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8683: lokihardt of Google Project Zero
CVE-2019-8684: lokihardt of Google Project Zero
CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech,
Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL,
and Eric Lung (@Khlung1) of VXRL
CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8687: Apple
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero
Additional recognition
Game Center
We would like to acknowledge Min (Spark) Zheng and Xiaolong Bai of
Alibaba Inc. for their assistance.
MobileInstallation
We would like to acknowledge Dany Lisiansky (@DanyL931) for their
assistance.
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 12.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl01+gkACgkQeC9tht7T
K3GiqhAAqXvJwj2vzGGKsGDDyR1fIO3lHOGejNiKvnJ+lgLu5AN8z3LnYTG2RNJS
cjz1albBWwDAo0YUTWTdx1czBtJt4v4c+DjfTuzEurGVjgj1vyi2t8/PSVmR12Nm
IvFCTYHorirY8/PgX4Sn4AtVxDR/PN0TtDufqbAiySNlMEQ19GmcBIkzwkCtiBt4
f5ZWRsx/htr6b5bXKy/2boUHQTGTjimFILM0IA0nmYgidFBcdk19Oi8qnTLS5srd
5iRERVr8yE7tiqG6YBLINYi3cyCo6mVKe267T6yEko6QV7h4DMZNIODFVf5NDqG4
g8q3Ptvs+QNEV7rl5ranwjIQ5kXF01SoMf2VWzJ191/gRRIbto+JQ9o9sQP6bAHb
84YZoFFZp79z1CGIc3G+4DJUk8VvkREYsvB4CAqjFxOq8Dt+dArsf/ngfA5rImcK
sNUlcRraE5LmchkfRdKle2gI1r4wwmRocIfjTsTO3o5bxmJFlXhFmapuz3nnuPSR
XvOC9J7AbsfpdQypgQFt0iOnrDnI+jS6LGB+1XNJ3ULjZQy7ynNbKfDKpDE2g/Z4
KxxPkQ5wso4hRGrRszC1AFl9ZuJTl0LqqVdwlWOB1Cjz7389OcxzJakn6zHOSN+H
szVduQcxzxi6ZOsbEui0m8OypDkgA1WV1VDitBAEw58yHaOOtoU=
=OYVw
-----END PGP SIGNATURE-----
.
CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole
Tippenhauer of CISPA, Germany, and Prof |
|
var-202203-0145
|
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iTunes 12.12.3 for Windows, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the WebGLMultiDraw component. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2022-03-14-3 tvOS 15.4
tvOS 15.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213186.
AppleAVD
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted image may lead to heap
corruption
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.
AVEVideoEncoder
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2022-22634: an anonymous researcher
AVEVideoEncoder
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22635: an anonymous researcher
AVEVideoEncoder
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22636: an anonymous researcher
ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2022-22611: Xingyu Jin of Google
ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted image may lead to heap
corruption
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2022-22612: Xingyu Jin of Google
IOGPUFamily
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-22641: Mohamed Ghannam (@_simo36)
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22613: Alex, an anonymous researcher
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-22614: an anonymous researcher
CVE-2022-22615: an anonymous researcher
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved state
management.
CVE-2022-22632: Keegan Saunders
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A null pointer dereference was addressed with improved
validation.
CVE-2022-22638: derrek (@derrekr6)
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-22640: sqrtpwn
MediaRemote
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to identify what other
applications a user has installed
Description: An access issue was addressed with improved access
restrictions.
CVE-2022-22670: Brandon Azad
Preferences
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to read other
applications' settings
Description: The issue was addressed with additional permissions
checks.
CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
Sandbox
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: The issue was addressed with improved permissions logic.
CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited,
Khiem Tran
UIKit
Available for: Apple TV 4K and Apple TV HD
Impact: A person with physical access to an iOS device may be able to
see sensitive information via keyboard suggestions
Description: This issue was addressed with improved checks.
CVE-2022-22621: Joey Hewitt
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may disclose
sensitive user information
Description: A cookie management issue was addressed with improved
state management.
WebKit Bugzilla: 232748
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A memory corruption issue was addressed with improved
state management.
WebKit Bugzilla: 232812
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
WebKit Bugzilla: 233172
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab
WebKit Bugzilla: 234147
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
WebKit Bugzilla: 234966
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro
Zero Day Initiative
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious website may cause unexpected cross-origin
behavior
Description: A logic issue was addressed with improved state
management.
WebKit Bugzilla: 235294
CVE-2022-22637: Tom McKee of Google
Additional recognition
Bluetooth
We would like to acknowledge an anonymous researcher for their
assistance.
Siri
We would like to acknowledge an anonymous researcher for their
assistance
syslog
We would like to acknowledge Yonghwi Jin (@jinmo123) of Theori for
their assistance.
UIKit
We would like to acknowledge Tim Shadel of Day Logger, Inc. for their
assistance.
WebKit
We would like to acknowledge Abdullah Md Shaleh for their assistance.
WebKit Storage
We would like to acknowledge Martin Bajanik of FingerprintJS for
their assistance.
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting "Settings ->
System -> Software Update -> Update Software." To check the current
version of software, select "Settings -> General -> About."
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmIvyxIACgkQeC9qKD1p
rhhDUg//VwUVUUj92pmEmjbj52uKnb1RZohn9dfkA9bESMzRy7wFwMUN973V2SPw
T6JpgCab0ZVNxBIfEXJq7wbi2Io08N0UMCE5GPNV0QL79x6ZmYwZREZwdHghrHGh
ggQtmYSZPipKLhvVOyXF7PamqHonnibbvfC/iWJSySnmPxQoHG7DoCzrX0wOnVBw
dkHEstKVo3eo2/OG/mGhYZw/g8EIAIDQbgP4XTD/m3hRnXbRMFff+7PgaE8cZzdY
45q8ExwqNOTdFoeqsKNmPBIzZJau9fWlekUlGpPXC1ASsiXmiptwvy07RbNLZ1N2
j2lFcLj7Ikzwiwsd7MBIFAMP0OWrT4Ds6YWdcgNX2iBkNoheqqt7AP4kOUnDP28Z
VXUriTbra9oPM0ctbZTBrmj7xiYjLbMJ4GRu2kIyGyTG9Wu9xEa3KH5Po1OR1Pxg
zG4gXdRIE241E26uee648uIFHhxRcgSdygXANnzkFv5/YslqQdccRD1F6FrJwqgn
V+ZFZ17zUhGW37F6Dmnd9LIo9GuiLl14qr1qfUoaQ+J+il2EV1UAv780wxQOuc4I
ZnvU4rEjaGmHwSh4/GDUTRFkI/fiA39WYpPkgXKN5yqHJG7AGENaROz3jnOxr/xU
JlVOleG7Z6MGdLwHG1i4QaBYrzadFZM20WsEOZ2twQzTVMQUyGk=qxuS
-----END PGP SIGNATURE-----
.
For the stable distribution (bullseye), these problems have been fixed in
version 2.36.0-2~deb11u1.
We recommend that you upgrade your wpewebkit packages.
Bug Fix(es):
* Cloning a Block DV to VM with Filesystem with not big enough size comes
to endless loop - using pvc api (BZ#2033191)
* Restart of VM Pod causes SSH keys to be regenerated within VM
(BZ#2087177)
* Import gzipped raw file causes image to be downloaded and uncompressed to
TMPDIR (BZ#2089391)
* [4.11] VM Snapshot Restore hangs indefinitely when backed by a
snapshotclass (BZ#2098225)
* Fedora version in DataImportCrons is not 'latest' (BZ#2102694)
* [4.11] Cloned VM's snapshot restore fails if the source VM disk is
deleted (BZ#2109407)
* CNV introduces a compliance check fail in "ocp4-moderate" profile -
routes-protected-by-tls (BZ#2110562)
* Nightly build: v4.11.0-578: index format was changed in 4.11 to
file-based instead of sqlite-based (BZ#2112643)
* Unable to start windows VMs on PSI setups (BZ#2115371)
* [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity
restricted:v1.24 (BZ#2128997)
* Mark Windows 11 as TechPreview (BZ#2129013)
* 4.11.1 rpms (BZ#2139453)
This advisory contains the following OpenShift Virtualization 4.11.1
images.
RHEL-8-CNV-4.11
virt-cdi-operator-container-v4.11.1-5
virt-cdi-uploadserver-container-v4.11.1-5
virt-cdi-apiserver-container-v4.11.1-5
virt-cdi-importer-container-v4.11.1-5
virt-cdi-controller-container-v4.11.1-5
virt-cdi-cloner-container-v4.11.1-5
virt-cdi-uploadproxy-container-v4.11.1-5
checkup-framework-container-v4.11.1-3
kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7
kubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7
kubevirt-template-validator-container-v4.11.1-4
virt-handler-container-v4.11.1-5
hostpath-provisioner-operator-container-v4.11.1-4
virt-api-container-v4.11.1-5
vm-network-latency-checkup-container-v4.11.1-3
cluster-network-addons-operator-container-v4.11.1-5
virtio-win-container-v4.11.1-4
virt-launcher-container-v4.11.1-5
ovs-cni-marker-container-v4.11.1-5
hyperconverged-cluster-webhook-container-v4.11.1-7
virt-controller-container-v4.11.1-5
virt-artifacts-server-container-v4.11.1-5
kubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7
kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7
libguestfs-tools-container-v4.11.1-5
hostpath-provisioner-container-v4.11.1-4
kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7
kubevirt-tekton-tasks-copy-template-container-v4.11.1-7
cnv-containernetworking-plugins-container-v4.11.1-5
bridge-marker-container-v4.11.1-5
virt-operator-container-v4.11.1-5
hostpath-csi-driver-container-v4.11.1-4
kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7
kubemacpool-container-v4.11.1-5
hyperconverged-cluster-operator-container-v4.11.1-7
kubevirt-ssp-operator-container-v4.11.1-4
ovs-cni-plugin-container-v4.11.1-5
kubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7
kubevirt-tekton-tasks-operator-container-v4.11.1-2
cnv-must-gather-container-v4.11.1-8
kubevirt-console-plugin-container-v4.11.1-9
hco-bundle-registry-container-v4.11.1-49
3. Bugs fixed (https://bugzilla.redhat.com/):
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service
5. JIRA issues fixed (https://issues.jboss.org/):
LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster
LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch
LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated.
LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types.
LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value
LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed
LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue
LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console
LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config
6.
This release includes security and bug fixes, and enhancements. Bugs fixed (https://bugzilla.redhat.com/):
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2142799 - Release of OpenShift Serverless Serving 1.26.0
2142801 - Release of OpenShift Serverless Eventing 1.26.0
5. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Virtualization 4.12.0 Images security update
Advisory ID: RHSA-2023:0408-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0408
Issue date: 2023-01-24
CVE Names: CVE-2015-20107 CVE-2016-3709 CVE-2020-0256
CVE-2020-35525 CVE-2020-35527 CVE-2021-0308
CVE-2021-38561 CVE-2021-44716 CVE-2021-44717
CVE-2022-0391 CVE-2022-0934 CVE-2022-1292
CVE-2022-1304 CVE-2022-1586 CVE-2022-1705
CVE-2022-1785 CVE-2022-1798 CVE-2022-1897
CVE-2022-1927 CVE-2022-1962 CVE-2022-2068
CVE-2022-2097 CVE-2022-2509 CVE-2022-3515
CVE-2022-3787 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-23772
CVE-2022-23773 CVE-2022-23806 CVE-2022-24795
CVE-2022-25308 CVE-2022-25309 CVE-2022-25310
CVE-2022-26700 CVE-2022-26709 CVE-2022-26710
CVE-2022-26716 CVE-2022-26717 CVE-2022-26719
CVE-2022-27404 CVE-2022-27405 CVE-2022-27406
CVE-2022-28131 CVE-2022-29526 CVE-2022-30293
CVE-2022-30629 CVE-2022-30630 CVE-2022-30631
CVE-2022-30632 CVE-2022-30633 CVE-2022-30635
CVE-2022-30698 CVE-2022-30699 CVE-2022-32148
CVE-2022-32206 CVE-2022-32208 CVE-2022-34903
CVE-2022-37434 CVE-2022-40674 CVE-2022-42898
====================================================================
1. Summary:
Red Hat OpenShift Virtualization release 4.12 is now available with updates
to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform. This advisory contains the following
OpenShift Virtualization 4.12.0 images:
Security Fix(es):
* golang: net/http: limit growth of header canonicalization cache
(CVE-2021-44716)
* kubeVirt: Arbitrary file read on the host from KubeVirt VMs
(CVE-2022-1798)
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)
* golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)
* golang: math/big: uncontrolled memory consumption due to an unhandled
overflow via Rat.SetString (CVE-2022-23772)
* golang: cmd/go: misinterpretation of branch names can lead to incorrect
access control (CVE-2022-23773)
* golang: crypto/elliptic: IsOnCurve returns true for invalid field
elements (CVE-2022-23806)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
RHEL-8-CNV-4.12
=============
bridge-marker-container-v4.12.0-24
cluster-network-addons-operator-container-v4.12.0-24
cnv-containernetworking-plugins-container-v4.12.0-24
cnv-must-gather-container-v4.12.0-58
hco-bundle-registry-container-v4.12.0-769
hostpath-csi-driver-container-v4.12.0-30
hostpath-provisioner-container-v4.12.0-30
hostpath-provisioner-operator-container-v4.12.0-31
hyperconverged-cluster-operator-container-v4.12.0-96
hyperconverged-cluster-webhook-container-v4.12.0-96
kubemacpool-container-v4.12.0-24
kubevirt-console-plugin-container-v4.12.0-182
kubevirt-ssp-operator-container-v4.12.0-64
kubevirt-tekton-tasks-cleanup-vm-container-v4.12.0-55
kubevirt-tekton-tasks-copy-template-container-v4.12.0-55
kubevirt-tekton-tasks-create-datavolume-container-v4.12.0-55
kubevirt-tekton-tasks-create-vm-from-template-container-v4.12.0-55
kubevirt-tekton-tasks-disk-virt-customize-container-v4.12.0-55
kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.12.0-55
kubevirt-tekton-tasks-modify-vm-template-container-v4.12.0-55
kubevirt-tekton-tasks-operator-container-v4.12.0-40
kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.12.0-55
kubevirt-template-validator-container-v4.12.0-32
libguestfs-tools-container-v4.12.0-255
ovs-cni-marker-container-v4.12.0-24
ovs-cni-plugin-container-v4.12.0-24
virt-api-container-v4.12.0-255
virt-artifacts-server-container-v4.12.0-255
virt-cdi-apiserver-container-v4.12.0-72
virt-cdi-cloner-container-v4.12.0-72
virt-cdi-controller-container-v4.12.0-72
virt-cdi-importer-container-v4.12.0-72
virt-cdi-operator-container-v4.12.0-72
virt-cdi-uploadproxy-container-v4.12.0-71
virt-cdi-uploadserver-container-v4.12.0-72
virt-controller-container-v4.12.0-255
virt-exportproxy-container-v4.12.0-255
virt-exportserver-container-v4.12.0-255
virt-handler-container-v4.12.0-255
virt-launcher-container-v4.12.0-255
virt-operator-container-v4.12.0-255
virtio-win-container-v4.12.0-10
vm-network-latency-checkup-container-v4.12.0-89
3. Solution:
Before applying this update, you must apply all previously released errata
relevant to your system.
To apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1719190 - Unable to cancel live-migration if virt-launcher pod in pending state
2023393 - [CNV] [UI]Additional information needed for cloning when default storageclass in not defined in target datavolume
2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error
2040377 - Unable to delete failed VMIM after VM deleted
2046298 - mdevs not configured with drivers installed, if mdev config added to HCO CR before drivers are installed
2052556 - Metric "kubevirt_num_virt_handlers_by_node_running_virt_launcher" reporting incorrect value
2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements
2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
2060499 - [RFE] Cannot add additional service (or other objects) to VM template
2069098 - Large scale |VMs migration is slow due to low migration parallelism
2070366 - VM Snapshot Restore hangs indefinitely when backed by a snapshotclass
2071491 - Storage Throughput metrics are incorrect in Overview
2072797 - Metrics in Virtualization -> Overview period is not clear or configurable
2072821 - Top Consumers of Storage Traffic in Kubevirt Dashboard giving unexpected numbers
2079916 - KubeVirt CR seems to be in DeploymentInProgress state and not recovering
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2086285 - [dark mode] VirtualMachine - in the Utilization card the percentages and the graphs not visible enough in dark mode
2086551 - Min CPU feature found in labels
2087724 - Default template show no boot source even there are auto-upload boot sources
2088129 - [SSP] webhook does not comply with restricted security context
2088464 - [CDI] cdi-deployment does not comply with restricted security context
2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR
2089744 - HCO should label its control plane namespace to admit pods at privileged security level
2089751 - 4.12.0 containers
2089804 - 4.12.0 rpms
2091856 - ?Edit BootSource? action should have more explicit information when disabled
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2092796 - [RFE] CPU|Memory display in the template card is not consistent with the display in the template drawer
2093771 - The disk source should be PVC if the template has no auto-update boot source
2093996 - kubectl get vmi API should always return primary interface if exist
2094202 - Cloud-init username field should have hint
2096285 - KubeVirt CR API documentation is missing docs for many fields
2096780 - [RFE] Add ssh-key and sysprep to template scripts tab
2097436 - Online disk expansion ignores filesystem overhead change
2097586 - AccessMode should stay on ReadWriteOnce while editing a disk with storage class HPP
2099556 - [RFE] Add option to enable RDP service for windows vm
2099573 - [RFE] Improve template's message about not editable
2099923 - [RFE] Merge "SSH access" and "SSH command" into one
2100290 - Error is not dismissed on catalog review page
2100436 - VM list filtering ignores VMs in error-states
2100442 - [RFE] allow enabling and disabling SSH service while VM is shut down
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2100629 - Update nested support KBASE article
2100679 - The number of hardware devices is not correct in vm overview tab
2100682 - All hardware devices get deleted while just delete one
2100684 - Workload profile are not editable during creation and after creation
2101144 - VM filter has two "Other" checkboxes which are triggered together
2101164 - [dark mode] Number of alerts in Alerts card not visible enough in dark mode
2101167 - Edit buttons clickable area is too large.
2101333 - [e2e] elements on Template Scheduling tab are missing proper data-test-id
2101335 - Clone action enabled in VM list kebab button for a VM in CrashLoopBackOff state
2101390 - Easy to miss the "tick" when adding GPU device to vm via UI
2101394 - [e2e] elements on VM Scripts tab are missing proper data-test-id
2101423 - wrong user name on using ignition
2101430 - Using CLOUD_USER_PASSWORD in Templates parameters breaks VM review page
2101445 - "Pending changes - Boot Order"
2101454 - Cannot add PVC boot source to template in 'Edit Boot Source Reference' view as a non-priv user
2101499 - Cannot add NIC to VM template as non-priv user
2101501 - NAME parameter in VM template has no effect.
2101628 - non-priv user cannot load dataSource while edit template's rootdisk
2101667 - VMI view is not aligned with vm and tempates
2101681 - All templates are labeling "source available" in template list page
2102074 - VM Creation time on VM Overview Details card lacks string
2102125 - vm clone modal is displaying DV size instead of PVC size
2102132 - align the utilization card of single VM overview with the design
2102138 - Should the word "new" be removed from "Create new VirtualMachine from catalog"?
2102256 - Add button moved to right
2102448 - VM disk is deleted by uncheck "Delete disks (1x)" on delete modal
2102475 - Template 'vm-template-example' should be filtered by 'Fedora' rather than 'Other'
2102561 - sysprep-info should link to downstream doc
2102737 - Clone a VM should lead to vm overview tab
2102740 - "Save" button on vm clone modal should be "Clone"
2103806 - "404: Not Found" appears shortly by clicking the PVC link on vm disk tab
2103807 - PVC is not named by VM name while creating vm quickly
2103817 - Workload profile values in vm details should align with template's value
2103844 - VM nic model is empty
2104331 - VM list page scroll up automatically
2104402 - VM create button is not enabled while adding multiple environment disks
2104422 - Storage status report "OpenShift Data Foundation is not available" even the operator is installed
2104424 - Enable descheduler or hide it on template's scheduling tab
2104479 - [4.12] Cloned VM's snapshot restore fails if the source VM disk is deleted
2104480 - Alerts in VM overview tab disappeared after a few seconds
2104785 - "Add disk" and "Disks" are on the same line
2104859 - [RFE] Add "Copy SSH command" to VM action list
2105257 - Can't set log verbosity level for virt-operator pod
2106175 - All pages are crashed after visit Virtualization -> Overview
2106963 - Cannot add configmap for windows VM
2107279 - VM Template's bootable disk can be marked as bootable
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2108339 - datasource does not provide timestamp when updated
2108638 - When chosing a vm or template while in all-namespace, and returning to list, namespace is changed
2109818 - Upstream metrics documentation is not detailed enough
2109975 - DataVolume fails to import "cirros-container-disk-demo" image
2110256 - Storage -> PVC -> upload data, does not support source reference
2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls
2111240 - GiB changes to B in Template's Edit boot source reference modal
2111292 - kubevirt plugin console is crashed after creating a vm with 2 nics
2111328 - kubevirt plugin console crashed after visit vmi page
2111378 - VM SSH command generated by UI points at api VIP
2111744 - Cloned template should not label `app.kubernetes.io/name: common-templates`
2111794 - the virtlogd process is taking too much RAM! (17468Ki > 17Mi)
2112900 - button style are different
2114516 - Nothing happens after clicking on Fedora cloud image list link
2114636 - The style of displayed items are not unified on VM tabs
2114683 - VM overview tab is crashed just after the vm is created
2115257 - Need to Change system-product-name to "OpenShift Virtualization" in CNV-4.12
2115258 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass
2115280 - [e2e] kubevirt-e2e-aws see two duplicated navigation items
2115769 - Machine type is updated to rhel8.6.0 in KV CR but not in Templates
2116225 - The filter keyword of the related operator 'Openshift Data Foundation' is 'OCS' rather than 'ODF'
2116644 - Importer pod is failing to start with error "MountVolume.SetUp failed for volume "cdi-proxy-cert-vol" : configmap "custom-ca" not found"
2117549 - Cannot edit cloud-init data after add ssh key
2117803 - Cannot edit ssh even vm is stopped
2117813 - Improve descriptive text of VM details while VM is off
2117872 - CVE-2022-1798 kubeVirt: Arbitrary file read on the host from KubeVirt VMs
2118257 - outdated doc link tolerations modal
2118823 - Deprecated API 1.25 call: virt-cdi-controller/v0.0.0 (linux/amd64) kubernetes/$Format
2119069 - Unable to start windows VMs on PSI setups
2119128 - virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
2119309 - readinessProbe in VM stays on failed
2119615 - Change the disk size causes the unit changed
2120907 - Cannot filter disks by label
2121320 - Negative values in migration metrics
2122236 - Failing to delete HCO with SSP sticking around
2122990 - VMExport should check APIGroup
2124147 - "ReadOnlyMany" should not be added to supported values in memory dump
2124307 - Ui crash/stuck on loading when trying to detach disk on a VM
2124528 - On upgrade, when live-migration is failed due to an infra issue, virt-handler continuously and endlessly tries to migrate it
2124555 - View documentation link on MigrationPolicies page des not work
2124557 - MigrationPolicy description is not displayed on Details page
2124558 - Non-privileged user can start MigrationPolicy creation
2124565 - Deleted DataSource reappears in list
2124572 - First annotation can not be added to DataSource
2124582 - Filtering VMs by OS does not work
2124594 - Docker URL validation is inconsistent over application
2124597 - Wrong case in Create DataSource menu
2126104 - virtctl image-upload hangs waiting for pod to be ready with missing access mode defined in the storage profile
2126397 - many KubeVirtComponentExceedsRequestedMemory alerts in Firing state
2127787 - Expose the PVC source of the dataSource on UI
2127843 - UI crashed by selecting "Live migration network"
2127931 - Change default time range on Virtualization -> Overview -> Monitoring dashboard to 30 minutes
2127947 - cluster-network-addons-config tlsSecurityProfle takes a long time to update after setting APIServer
2128002 - Error after VM template deletion
2128107 - sriov-manage command fails to enable SRIOV Virtual functions on the Ampere GPU Cards
2128872 - [4.11]Can't restore cloned VM
2128948 - Cannot create DataSource from default YAML
2128949 - Cannot create MigrationPolicy from example YAML
2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
2129013 - Mark Windows 11 as TechPreview
2129234 - Service is not deleted along with the VM when the VM is created from a template with service
2129301 - Cloud-init network data don't wipe out on uncheck checkbox 'Add network data'
2129870 - crypto-policy : Accepting TLS 1.3 connections by validating webhook
2130509 - Auto image import in failed state with data sources pointing to external manually-created PVC/DV
2130588 - crypto-policy : Common Ciphers support by apiserver and hco
2130695 - crypto-policy : Logging Improvement and publish the source of ciphers
2130909 - Non-privileged user can start DataSource creation
2131157 - KV data transfer rate chart in VM Metrics tab is not displayed
2131165 - [dark mode] Additional statuses accordion on Virtualization Overview page not visible enough
2131674 - Bump virtlogd memory requirement to 20Mi
2132031 - Ensure Windows 2022 Templates are marked as TechPreview like it is done now for Windows 11
2132682 - Default YAML entity name convention.
2132721 - Delete dialogs
2132744 - Description text is missing in Live Migrations section
2132746 - Background is broken in Virtualization Monitoring page
2132783 - VM can not be created from Template with edited boot source
2132793 - Edited Template BSR is not saved
2132932 - Typo in PVC size units menu
2133540 - [pod security violation audit] Audit violation in "cni-plugins" container should be fixed
2133541 - [pod security violation audit] Audit violation in "bridge-marker" container should be fixed
2133542 - [pod security violation audit] Audit violation in "manager" container should be fixed
2133543 - [pod security violation audit] Audit violation in "kube-rbac-proxy" container should be fixed
2133655 - [pod security violation audit] Audit violation in "cdi-operator" container should be fixed
2133656 - [4.12][pod security violation audit] Audit violation in "hostpath-provisioner-operator" container should be fixed
2133659 - [pod security violation audit] Audit violation in "cdi-controller" container should be fixed
2133660 - [pod security violation audit] Audit violation in "cdi-source-update-poller" container should be fixed
2134123 - KubeVirtComponentExceedsRequestedMemory Alert for virt-handler pod
2134672 - [e2e] add data-test-id for catalog -> storage section
2134825 - Authorization for expand-spec endpoint missing
2135805 - Windows 2022 template is missing vTPM and UEFI params in spec
2136051 - Name jumping when trying to create a VM with source from catalog
2136425 - Windows 11 is detected as Windows 10
2136534 - Not possible to specify a TTL on VMExports
2137123 - VMExport: export pod is not PSA complaint
2137241 - Checkbox about delete vm disks is not loaded while deleting VM
2137243 - registery input add docker prefix twice
2137349 - "Manage source" action infinitely loading on DataImportCron details page
2137591 - Inconsistent dialog headings/titles
2137731 - Link of VM status in overview is not working
2137733 - No link for VMs in error status in "VirtualMachine statuses" card
2137736 - The column name "MigrationPolicy name" can just be "Name"
2137896 - crypto-policy: HCO should pick TLSProfile from apiserver if not provided explicitly
2138112 - Unsupported S3 endpoint option in Add disk modal
2138119 - "Customize VirtualMachine" flow is not user-friendly because settings are split into 2 modals
2138199 - Win11 and Win22 templates are not filtered properly by Template provider
2138653 - Saving Template prameters reloads the page
2138657 - Setting DATA_SOURCE_* Template parameters makes VM creation fail
2138664 - VM that was created with SSH key fails to start
2139257 - Cannot add disk via "Using an existing PVC"
2139260 - Clone button is disabled while VM is running
2139293 - Non-admin user cannot load VM list page
2139296 - Non-admin cannot load MigrationPolicies page
2139299 - No auto-generated VM name while creating VM by non-admin user
2139306 - Non-admin cannot create VM via customize mode
2139479 - virtualization overview crashes for non-priv user
2139574 - VM name gets "emptyname" if click the create button quickly
2139651 - non-priv user can click create when have no permissions
2139687 - catalog shows template list for non-priv users
2139738 - [4.12]Can't restore cloned VM
2139820 - non-priv user cant reach vm details
2140117 - Provide upgrade path from 4.11.1->4.12.0
2140521 - Click the breadcrumb list about "VirtualMachines" goes to undefined project
2140534 - [View only] it should give a permission error when user clicking the VNC play/connect button as a view only user
2140627 - Not able to select storageClass if there is no default storageclass defined
2140730 - Links on Virtualization Overview page lead to wrong namespace for non-priv user
2140808 - Hyperv feature set to "enabled: false" prevents scheduling
2140977 - Alerts number is not correct on Virtualization overview
2140982 - The base template of cloned template is "Not available"
2140998 - Incorrect information shows in overview page per namespace
2141089 - Unable to upload boot images.
2141302 - Unhealthy states alerts and state metrics are missing
2141399 - Unable to set TLS Security profile for CDI using HCO jsonpatch annotations
2141494 - "Start in pause mode" option is not available while creating the VM
2141654 - warning log appearing on VMs: found no SR-IOV networks
2141711 - Node column selector is redundant for non-priv user
2142468 - VM action "Stop" should not be disabled when VM in pause state
2142470 - Delete a VM or template from all projects leads to 404 error
2142511 - Enhance alerts card in overview
2142647 - Error after MigrationPolicy deletion
2142891 - VM latency checkup: Failed to create the checkup's Job
2142929 - Permission denied when try get instancestypes
2143268 - Topolvm storageProfile missing accessModes and volumeMode
2143498 - Could not load template while creating VM from catalog
2143964 - Could not load template while creating VM from catalog
2144580 - "?" icon is too big in VM Template Disk tab
2144828 - "?" icon is too big in VM Template Disk tab
2144839 - Alerts number is not correct on Virtualization overview
2153849 - After upgrade to 4.11.1->4.12.0 hco.spec.workloadUpdateStrategy value is getting overwritten
2155757 - Incorrect upstream-version label "v1.6.0-unstable-410-g09ea881c" is tagged to 4.12 hyperconverged-cluster-operator-container and hyperconverged-cluster-webhook-container
5. References:
https://access.redhat.com/security/cve/CVE-2015-20107
https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-0256
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2021-0308
https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2021-44716
https://access.redhat.com/security/cve/CVE-2021-44717
https://access.redhat.com/security/cve/CVE-2022-0391
https://access.redhat.com/security/cve/CVE-2022-0934
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1798
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-3787
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-23772
https://access.redhat.com/security/cve/CVE-2022-23773
https://access.redhat.com/security/cve/CVE-2022-23806
https://access.redhat.com/security/cve/CVE-2022-24795
https://access.redhat.com/security/cve/CVE-2022-25308
https://access.redhat.com/security/cve/CVE-2022-25309
https://access.redhat.com/security/cve/CVE-2022-25310
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27404
https://access.redhat.com/security/cve/CVE-2022-27405
https://access.redhat.com/security/cve/CVE-2022-27406
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-29526
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-30698
https://access.redhat.com/security/cve/CVE-2022-30699
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-40674
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. Bugs fixed (https://bugzilla.redhat.com/):
2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
2156683 - CVE-2020-36567 gin: Unsanitized input in the default logger in github.com/gin-gonic/gin
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
5. JIRA issues fixed (https://issues.jboss.org/):
MTA-103 - MTA 6.0.1 Installation failed with CrashLoop Error for UI Pod
MTA-106 - Implement ability for windup addon image pull policy to be configurable
MTA-122 - MTA is upgrading automatically ignoring 'Manual' setting
MTA-123 - MTA Becomes unusable when running bulk binary analysis
MTA-127 - After upgrading MTA operator from 6.0.0 to 6.0.1 and running analysis , task pods starts failing
MTA-131 - Analysis stops working after MTA upgrade from 6.0.0 to 6.0.1
MTA-36 - Can't disable a proxy if it has an invalid configuration
MTA-44 - Make RWX volumes optional.
MTA-49 - Uploaded a local binary when return back to the page the UI should show green bar and correct %
MTA-59 - Getting error 401 if deleting many credentials quickly
MTA-65 - Set windup addon image pull policy to be controlled by the global image_pull_policy parameter
MTA-72 - CVE-2022-46175 mta-ui-container: json5: Prototype Pollution in JSON5 via Parse Method [mta-6]
MTA-73 - CVE-2022-37601 mta-ui-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js [mta-6]
MTA-74 - CVE-2020-36567 mta-windup-addon-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]
MTA-76 - CVE-2022-37603 mta-ui-container: loader-utils:Regular expression denial of service [mta-6]
MTA-77 - CVE-2020-36567 mta-hub-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]
MTA-80 - CVE-2021-35065 mta-ui-container: glob-parent: Regular Expression Denial of Service [mta-6]
MTA-82 - CVE-2022-42920 org.jboss.windup-windup-cli-parent: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [mta-6.0]
MTA-85 - CVE-2022-24999 mta-ui-container: express: "qs" prototype poisoning causes the hang of the node process [mta-6]
MTA-88 - CVE-2020-36567 mta-admin-addon-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]
MTA-92 - CVE-2022-42920 org.jboss.windup.plugin-windup-maven-plugin-parent: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [mta-6.0]
MTA-96 - [UI] Maven -> "Local artifact repository" textbox can be checked and has no tooltip
6. Description:
Red Hat Advanced Cluster Management for Kubernetes 2.6.3 images
Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/
Bugs addressed:
* clusters belong to global clusterset is not selected by placement when
rescheduling (BZ# 2129679)
* RHACM 2.6.3 images (BZ# 2139085)
Security fixes:
* CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
Security
* CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML
responses containing multiple Assertion elements
3. Bugs fixed (https://bugzilla.redhat.com/):
2129679 - clusters belong to global clusterset is not selected by placement when rescheduling
2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
2139085 - RHACM 2.6.3 images
2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
5 |
|
var-201912-1847
|
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * * information leak * * User impersonation * * Arbitrary code execution * * UI Spoofing * * Insufficient access restrictions * * Service operation interruption (DoS) * * Privilege escalation * * Memory corruption * * Authentication bypass. Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A security vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple watchOS prior to 6.1; Safari prior to 13.0.3; iOS prior to 13.2; iPadOS prior to 13.2; tvOS prior to 13.2; Windows-based iCloud prior to 11.0; Windows-based iTunes 12.10 .2 version; versions prior to iCloud 7.15 based on the Windows platform. WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded. (CVE-2019-6237)
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge. (CVE-2019-8601)
An out-of-bounds read was addressed with improved input validation. (CVE-2019-8644)
A logic issue existed in the handling of synchronous page loads. (CVE-2019-8689)
A logic issue existed in the handling of document loads. (CVE-2019-8719)
This fixes a remote code execution in webkitgtk4. No further details are available in NIST. This issue is fixed in watchOS 6.1. This issue is fixed in watchOS 6.1. This issue is fixed in watchOS 6.1. (CVE-2019-8766)
"Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. This issue is fixed in macOS Catalina 10.15. A user may be unable to delete browsing history items. (CVE-2019-8768)
An issue existed in the drawing of web page elements. This issue is fixed in iOS 13.1 and iPadOS 13.1, macOS Catalina 10.15. Visiting a maliciously crafted website may reveal browsing history. (CVE-2019-8769)
This issue was addressed with improved iframe sandbox enforcement. (CVE-2019-8846)
WebKitGTK up to and including 2.26.4 and WPE WebKit up to and including 2.26.4 (which are the versions right prior to 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. (CVE-2020-10018)
A use-after-free flaw exists in WebKitGTK. This flaw allows remote malicious users to execute arbitrary code or cause a denial of service. A malicious website may be able to cause a denial of service. A DOM object context may not have had a unique security origin. A file URL may be incorrectly processed. (CVE-2020-3885)
A race condition was addressed with additional validation. An application may be able to read restricted memory. (CVE-2020-3901)
An input validation issue was addressed with improved input validation. (CVE-2020-3902). In addition to persistent storage, Red Hat
OpenShift Container Storage provisions a multicloud data management service
with an S3 compatible API.
These updated images include numerous security fixes, bug fixes, and
enhancements. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
1806266 - Require an extension to the cephfs subvolume commands, that can return metadata regarding a subvolume
1813506 - Dockerfile not compatible with docker and buildah
1817438 - OSDs not distributed uniformly across OCS nodes on a 9-node AWS IPI setup
1817850 - [BAREMETAL] rook-ceph-operator does not reconcile when osd deployment is deleted when performed node replacement
1827157 - OSD hitting default CPU limit on AWS i3en.2xlarge instances limiting performance
1829055 - [RFE] add insecureEdgeTerminationPolicy: Redirect to noobaa mgmt route (http to https)
1833153 - add a variable for sleep time of rook operator between checks of downed OSD+Node.
1836299 - NooBaa Operator deploys with HPA that fires maxreplicas alerts by default
1842254 - [NooBaa] Compression stats do not add up when compression id disabled
1845976 - OCS 4.5 Independent mode: must-gather commands fails to collect ceph command outputs from external cluster
1849771 - [RFE] Account created by OBC should have same permissions as bucket owner
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1854500 - [tracker-rhcs bug 1838931] mgr/volumes: add command to return metadata of a subvolume snapshot
1854501 - [Tracker-rhcs bug 1848494 ]pybind/mgr/volumes: Add the ability to keep snapshots of subvolumes independent of the source subvolume
1854503 - [tracker-rhcs-bug 1848503] cephfs: Provide alternatives to increase the total cephfs subvolume snapshot counts to greater than the current 400 across a Cephfs volume
1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
1858195 - [GSS] registry pod stuck in ContainerCreating due to pvc from cephfs storage class fail to mount
1859183 - PV expansion is failing in retry loop in pre-existing PV after upgrade to OCS 4.5 (i.e. if the PV spec does not contain expansion params)
1859229 - Rook should delete extra MON PVCs in case first reconcile takes too long and rook skips "b" and "c" (spawned from Bug 1840084#c14)
1859478 - OCS 4.6 : Upon deployment, CSI Pods in CLBO with error - flag provided but not defined: -metadatastorage
1860022 - OCS 4.6 Deployment: LBP CSV and pod should not be deployed since ob/obc CRDs are owned from OCS 4.5 onwards
1860034 - OCS 4.6 Deployment in ocs-ci : Toolbox pod in ContainerCreationError due to key admin-secret not found
1860670 - OCS 4.5 Uninstall External: Openshift-storage namespace in Terminating state as CephObjectStoreUser had finalizers remaining
1860848 - Add validation for rgw-pool-prefix in the ceph-external-cluster-details-exporter script
1861780 - [Tracker BZ1866386][IBM s390x] Mount Failed for CEPH while running couple of OCS test cases.
1865938 - CSIDrivers missing in OCS 4.6
1867024 - [ocs-operator] operator v4.6.0-519.ci is in Installing state
1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
1868060 - [External Cluster] Noobaa-default-backingstore PV in released state upon OCS 4.5 uninstall (Secret not found)
1868703 - [rbd] After volume expansion, the new size is not reflected on the pod
1869411 - capture full crash information from ceph
1870061 - [RHEL][IBM] OCS un-install should make the devices raw
1870338 - OCS 4.6 must-gather : ocs-must-gather-xxx-helper pod in ContainerCreationError (couldn't find key admin-secret)
1870631 - OCS 4.6 Deployment : RGW pods went into 'CrashLoopBackOff' state on Z Platform
1872119 - Updates don't work on StorageClass which will keep PV expansion disabled for upgraded cluster
1872696 - [ROKS][RFE]NooBaa Configure IBM COS as default backing store
1873864 - Noobaa: On an baremetal RHCOS cluster, some backingstores are stuck in PROGRESSING state with INVALID_ENDPOINT TemporaryError
1874606 - CVE-2020-7720 nodejs-node-forge: prototype pollution via the util.setPath function
1875476 - Change noobaa logo in the noobaa UI
1877339 - Incorrect use of logr
1877371 - NooBaa UI warning message on Deploy Kubernetes Pool process - typo and shown number is incorrect
1878153 - OCS 4.6 must-gather: collect node information under cluster_scoped_resources/oc_output directory
1878714 - [FIPS enabled] BadDigest error on file upload to noobaa bucket
1878853 - [External Mode] ceph-external-cluster-details-exporter.py does not tolerate TLS enabled RGW
1879008 - ocs-osd-removal job fails because it can't find admin-secret in rook-ceph-mon secret
1879072 - Deployment with encryption at rest is failing to bring up OSD pods
1879919 - [External] Upgrade mechanism from OCS 4.5 to OCS 4.6 needs to be fixed
1880255 - Collect rbd info and subvolume info and snapshot info command output
1881028 - CVE-2020-8237 nodejs-json-bigint: Prototype pollution via `__proto__` assignment could result in DoS
1881071 - [External] Upgrade mechanism from OCS 4.5 to OCS 4.6 needs to be fixed
1882397 - MCG decompression problem with snappy on s390x arch
1883253 - CSV doesn't contain values required for UI to enable minimal deployment and cluster encryption
1883398 - Update csi sidecar containers in rook
1883767 - Using placement strategies in cluster-service.yaml causes ocs-operator to crash
1883810 - [External mode] RGW metrics is not available after OCS upgrade from 4.5 to 4.6
1883927 - Deployment with encryption at rest is failing to bring up OSD pods
1885175 - Handle disappeared underlying device for encrypted OSD
1885428 - panic seen in rook-ceph during uninstall - "close of closed channel"
1885648 - [Tracker for https://bugzilla.redhat.com/show_bug.cgi?id=1885700] FSTYPE for localvolumeset devices shows up as ext2 after uninstall
1885971 - ocs-storagecluster-cephobjectstore doesn't report true state of RGW
1886308 - Default VolumeSnapshot Classes not created in External Mode
1886348 - osd removal job failed with status "Error"
1886551 - Clone creation failed after timeout of 5 hours of Azure platrom for 3 CephFS PVCs ( PVC sizes: 1, 25 and 100 GB)
1886709 - [External] RGW storageclass disappears after upgrade from OCS 4.5 to 4.6
1886859 - OCS 4.6: Uninstall stuck indefinitely if any Ceph pods are in Pending state before uninstall
1886873 - [OCS 4.6 External/Internal Uninstall] - Storage Cluster deletion stuck indefinitely, "failed to delete object store", remaining users: [noobaa-ceph-objectstore-user]
1888583 - [External] When deployment is attempted without specifying the monitoring-endpoint while generating JSON, the CSV is stuck in installing state
1888593 - [External] Add validation for monitoring-endpoint and port in the exporter script
1888614 - [External] Unreachable monitoring-endpoint used during deployment causes ocs-operator to crash
1889441 - Traceback error message while running OCS 4.6 must-gather
1889683 - [GSS] Noobaa Problem when setting public access to a bucket
1889866 - Post node power off/on, an unused MON PVC still stays back in the cluster
1890183 - [External] ocs-operator logs are filled with "failed to reconcile metrics exporter"
1890638 - must-gather helper pod should be deleted after collecting ceph crash info
1890971 - [External] RGW metrics are not available if anything else except 9283 is provided as the monitoring-endpoint-port
1891856 - ocs-metrics-exporter pod should have tolerations for OCS taint
1892206 - [GSS] Ceph image/version mismatch
1892234 - clone #95 creation failed for CephFS PVC ( 10 GB PVC size) during multiple clones creation test
1893624 - Must Gather is not collecting the tar file from NooBaa diagnose
1893691 - OCS4.6 must_gather failes to complete in 600sec
1893714 - Bad response for upload an object with encryption
1895402 - Mon pods didn't get upgraded in 720 second timeout from OCS 4.5 upgrade to 4.6
1896298 - [RFE] Monitoring for Namespace buckets and resources
1896831 - Clone#452 for RBD PVC ( PVC size 1 GB) failed to be created for 600 secs
1898521 - [CephFS] Deleting cephfsplugin pod along with app pods will make PV remain in Released state after deleting the PVC
1902627 - must-gather should wait for debug pods to be in ready state
1904171 - RGW Service is unavailable for a short period during upgrade to OCS 4.6
5. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-10-29-4 watchOS 6.1
watchOS 6.1 is now available and addresses the following:
Accounts
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8787: Steffen Klee of Secure Mobile Networking Lab at
Technische Universität Darmstadt
App Store
Available for: Apple Watch Series 1 and later
Impact: A local attacker may be able to login to the account of a
previously logged in user without valid credentials.
CVE-2019-8803: Kiyeon An, 차민규 (CHA Minkyu)
AppleFirmwareUpdateKext
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2019-8785: Ian Beer of Google Project Zero
CVE-2019-8797: 08Tc3wBB working with SSD Secure Disclosure
Contacts
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously contact may lead to UI spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com)
File System Events
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8798: ABC Research s.r.o. working with Trend Micro's Zero
Day Initiative
Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8794: 08Tc3wBB working with SSD Secure Disclosure
Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8750: found by OSS-Fuzz
VoiceOver
Available for: Apple Watch Series 1 and later
Impact: A person with physical access to an iOS device may be able to
access contacts from the lock screen
Description: The issue was addressed by restricting options offered
on a locked device.
CFNetwork
We would like to acknowledge Lily Chen of Google for their
assistance.
Safari
We would like to acknowledge Ron Summers for their assistance.
WebKit
We would like to acknowledge Zhiyi Zhang of Codesafe Team of
Legendsec at Qi'anxin Group for their assistance.
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About". Bugs fixed (https://bugzilla.redhat.com/):
1732329 - Virtual Machine is missing documentation of its properties in yaml editor
1783192 - Guest kernel panic when start RHEL6.10 guest with q35 machine type and virtio disk in cnv
1791753 - [RFE] [SSP] Template validator should check validations in template's parent template
1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1848954 - KMP missing CA extensions in cabundle of mutatingwebhookconfiguration
1848956 - KMP requires downtime for CA stabilization during certificate rotation
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1853911 - VM with dot in network name fails to start with unclear message
1854098 - NodeNetworkState on workers doesn't have "status" key due to nmstate-handler pod failure to run "nmstatectl show"
1856347 - SR-IOV : Missing network name for sriov during vm setup
1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
1859235 - Common Templates - after upgrade there are 2 common templates per each os-workload-flavor combination
1860714 - No API information from `oc explain`
1860992 - CNV upgrade - users are not removed from privileged SecurityContextConstraints
1864577 - [v2v][RHV to CNV non migratable source VM fails to import to Ceph-rbd / File system due to overhead required for Filesystem
1866593 - CDI is not handling vm disk clone
1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
1868817 - Container-native Virtualization 2.6.0 Images
1873771 - Improve the VMCreationFailed error message caused by VM low memory
1874812 - SR-IOV: Guest Agent expose link-local ipv6 address for sometime and then remove it
1878499 - DV import doesn't recover from scratch space PVC deletion
1879108 - Inconsistent naming of "oc virt" command in help text
1881874 - openshift-cnv namespace is getting stuck if the user tries to delete it while CNV is running
1883232 - Webscale: kubevirt/CNV datavolume importer pod inability to disable sidecar injection if namespace has sidecar injection enabled but VM Template does NOT
1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
1885153 - [v2v][RHV to CNv VM import] Wrong Network mapping do not show a relevant error message
1885418 - [openshift-cnv] issues with memory overhead calculation when limits are used
1887398 - [openshift-cnv][CNV] nodes need to exist and be labeled first, *before* the NodeNetworkConfigurationPolicy is applied
1889295 - [v2v][VMware to CNV VM import API] diskMappings: volumeMode Block is not passed on to PVC request. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.10.3 security update
Advisory ID: RHSA-2022:0056-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0056
Issue date: 2022-03-10
CVE Names: CVE-2014-3577 CVE-2016-10228 CVE-2017-14502
CVE-2018-20843 CVE-2018-1000858 CVE-2019-8625
CVE-2019-8710 CVE-2019-8720 CVE-2019-8743
CVE-2019-8764 CVE-2019-8766 CVE-2019-8769
CVE-2019-8771 CVE-2019-8782 CVE-2019-8783
CVE-2019-8808 CVE-2019-8811 CVE-2019-8812
CVE-2019-8813 CVE-2019-8814 CVE-2019-8815
CVE-2019-8816 CVE-2019-8819 CVE-2019-8820
CVE-2019-8823 CVE-2019-8835 CVE-2019-8844
CVE-2019-8846 CVE-2019-9169 CVE-2019-13050
CVE-2019-13627 CVE-2019-14889 CVE-2019-15903
CVE-2019-19906 CVE-2019-20454 CVE-2019-20807
CVE-2019-25013 CVE-2020-1730 CVE-2020-3862
CVE-2020-3864 CVE-2020-3865 CVE-2020-3867
CVE-2020-3868 CVE-2020-3885 CVE-2020-3894
CVE-2020-3895 CVE-2020-3897 CVE-2020-3899
CVE-2020-3900 CVE-2020-3901 CVE-2020-3902
CVE-2020-8927 CVE-2020-9802 CVE-2020-9803
CVE-2020-9805 CVE-2020-9806 CVE-2020-9807
CVE-2020-9843 CVE-2020-9850 CVE-2020-9862
CVE-2020-9893 CVE-2020-9894 CVE-2020-9895
CVE-2020-9915 CVE-2020-9925 CVE-2020-9952
CVE-2020-10018 CVE-2020-11793 CVE-2020-13434
CVE-2020-14391 CVE-2020-15358 CVE-2020-15503
CVE-2020-25660 CVE-2020-25677 CVE-2020-27618
CVE-2020-27781 CVE-2020-29361 CVE-2020-29362
CVE-2020-29363 CVE-2021-3121 CVE-2021-3326
CVE-2021-3449 CVE-2021-3450 CVE-2021-3516
CVE-2021-3517 CVE-2021-3518 CVE-2021-3520
CVE-2021-3521 CVE-2021-3537 CVE-2021-3541
CVE-2021-3733 CVE-2021-3749 CVE-2021-20305
CVE-2021-21684 CVE-2021-22946 CVE-2021-22947
CVE-2021-25215 CVE-2021-27218 CVE-2021-30666
CVE-2021-30761 CVE-2021-30762 CVE-2021-33928
CVE-2021-33929 CVE-2021-33930 CVE-2021-33938
CVE-2021-36222 CVE-2021-37750 CVE-2021-39226
CVE-2021-41190 CVE-2021-43813 CVE-2021-44716
CVE-2021-44717 CVE-2022-0532 CVE-2022-21673
CVE-2022-24407
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.10.3 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.10.3. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHSA-2022:0055
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html
Security Fix(es):
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)
* grafana: Snapshot authentication bypass (CVE-2021-39226)
* golang: net/http: limit growth of header canonicalization cache
(CVE-2021-44716)
* nodejs-axios: Regular expression denial of service in trim function
(CVE-2021-3749)
* golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)
* grafana: Forward OAuth Identity Token can allow users to access some data
sources (CVE-2022-21673)
* grafana: directory traversal vulnerability (CVE-2021-43813)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
You may download the oc tool and use it to inspect release image metadata
as follows:
(For x86_64 architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.10.3-x86_64
The image digest is
sha256:7ffe4cd612be27e355a640e5eec5cd8f923c1400d969fd590f806cffdaabcc56
(For s390x architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.10.3-s390x
The image digest is
sha256:4cf21a9399da1ce8427246f251ae5dedacfc8c746d2345f9cfe039ed9eda3e69
(For ppc64le architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.10.3-ppc64le
The image digest is
sha256:4ee571da1edf59dfee4473aa4604aba63c224bf8e6bcf57d048305babbbde93c
All OpenShift Container Platform 4.10 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
3. Solution:
For OpenShift Container Platform 4.10 see the following documentation,
which will be updated shortly for this release, for moderate instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1808240 - Always return metrics value for pods under the user's namespace
1815189 - feature flagged UI does not always become available after operator installation
1825034 - e2e: Mock CSI tests fail on IBM ROKS clusters
1826225 - edge terminated h2 (gRPC) connections need a haproxy template change to work correctly
1860774 - csr for vSphere egress nodes were not approved automatically during cert renewal
1878106 - token inactivity timeout is not shortened after oauthclient/oauth config values are lowered
1878925 - 'oc adm upgrade --to ...' rejects versions which occur only in history, while the cluster-version operator supports history fallback
1880738 - origin e2e test deletes original worker
1882983 - oVirt csi driver should refuse to provision RWX and ROX PV
1886450 - Keepalived router id check not documented for RHV/VMware IPI
1889488 - The metrics endpoint for the Scheduler is not protected by RBAC
1894431 - Router pods fail to boot if the SSL certificate applied is missing an empty line at the bottom
1896474 - Path based routing is broken for some combinations
1897431 - CIDR support for additional network attachment with the bridge CNI plug-in
1903408 - NodePort externalTrafficPolicy does not work for ovn-kubernetes
1907433 - Excessive logging in image operator
1909906 - The router fails with PANIC error when stats port already in use
1911173 - [MSTR-998] Many charts' legend names show {{}} instead of words
1914053 - pods assigned with Multus whereabouts IP get stuck in ContainerCreating state after node rebooting.
1916169 - a reboot while MCO is applying changes leaves the node in undesirable state and MCP looks fine (UPDATED=true)
1917893 - [ovirt] install fails: due to terraform error "Cannot attach Virtual Disk: Disk is locked" on vm resource
1921627 - GCP UPI installation failed due to exceeding gcp limitation of instance group name
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1926522 - oc adm catalog does not clean temporary files
1927478 - Default CatalogSources deployed by marketplace do not have toleration for tainted nodes.
1928141 - kube-storage-version-migrator constantly reporting type "Upgradeable" status Unknown
1928285 - [LSO][OCS][arbiter] OCP Console shows no results while in fact underlying setup of LSO localvolumeset and it's storageclass is not yet finished, confusing users
1931594 - [sig-cli] oc --request-timeout works as expected fails frequently on s390x
1933847 - Prometheus goes unavailable (both instances down) during 4.8 upgrade
1937085 - RHV UPI inventory playbook missing guarantee_memory
1937196 - [aws ebs csi driver] events for block volume expansion may cause confusion
1938236 - vsphere-problem-detector does not support overriding log levels via storage CR
1939401 - missed labels for CMO/openshift-state-metric/telemeter-client/thanos-querier pods
1939435 - Setting an IPv6 address in noProxy field causes error in openshift installer
1939552 - [sig-api-machinery] CustomResourcePublishOpenAPI [Privileged:ClusterAdmin] works for CRD preserving unknown fields in an embedded object [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]
1942913 - ThanosSidecarUnhealthy isn't resilient to WAL replays.
1943363 - [ovn] CNO should gracefully terminate ovn-northd
1945274 - ostree-finalize-staged.service failed while upgrading a rhcos node to 4.6.17
1948080 - authentication should not set Available=False APIServices_Error with 503s
1949262 - Prometheus Statefulsets should have 2 replicas and hard affinity set
1949672 - [GCP] Update 4.8 UPI template to match ignition version: 3.2.0
1950827 - [LSO] localvolumediscoveryresult name is not friendly to customer
1952576 - csv_succeeded metric not present in olm-operator for all successful CSVs
1953264 - "remote error: tls: bad certificate" logs in prometheus-operator container
1955300 - Machine config operator reports unavailable for 23m during upgrade
1955489 - Alertmanager Statefulsets should have 2 replicas and hard affinity set
1955490 - Thanos ruler Statefulsets should have 2 replicas and hard affinity set
1955544 - [IPI][OSP] densed master-only installation with 0 workers fails due to missing worker security group on masters
1956496 - Needs SR-IOV Docs Upstream
1956739 - Permission for authorized_keys for core user changes from core user to root when changed the pull secret
1956776 - [vSphere] Installer should do pre-check to ensure user-provided network name is valid
1956964 - upload a boot-source to OpenShift virtualization using the console
1957547 - [RFE]VM name is not auto filled in dev console
1958349 - ovn-controller doesn't release the memory after cluster-density run
1959352 - [scale] failed to get pod annotation: timed out waiting for annotations
1960378 - icsp allows mirroring of registry root - install-config imageContentSources does not
1960674 - Broken test: [sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial]
1961317 - storage ClusterOperator does not declare ClusterRoleBindings in relatedObjects
1961391 - String updates
1961509 - DHCP daemon pod should have CPU and memory requests set but not limits
1962066 - Edit machine/machineset specs not working
1962206 - openshift-multus/dhcp-daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent
1963053 - `oc whoami --show-console` should show the web console URL, not the server api URL
1964112 - route SimpleAllocationPlugin: host name validation errors: spec.host: Invalid value: ... must be no more than 63 characters
1964327 - Support containers with name:tag@digest
1964789 - Send keys and disconnect does not work for VNC console
1965368 - ClusterQuotaAdmission received non-meta object - message constantly reported in OpenShift Container Platform 4.7
1966445 - Unmasking a service doesn't work if it masked using MCO
1966477 - Use GA version in KAS/OAS/OauthAS to avoid: "audit.k8s.io/v1beta1" is deprecated and will be removed in a future release, use "audit.k8s.io/v1" instead
1966521 - kube-proxy's userspace implementation consumes excessive CPU
1968364 - [Azure] when using ssh type ed25519 bootstrap fails to come up
1970021 - nmstate does not persist its configuration due to overlay systemd-connections-merged mount
1970218 - MCO writes incorrect file contents if compression field is specified
1970331 - [sig-auth][Feature:SCC][Early] should not have pod creation failures during install [Suite:openshift/conformance/parallel]
1970805 - Cannot create build when docker image url contains dir structure
1972033 - [azure] PV region node affinity is failure-domain.beta.kubernetes.io instead of topology.kubernetes.io
1972827 - image registry does not remain available during upgrade
1972962 - Should set the minimum value for the `--max-icsp-size` flag of `oc adm catalog mirror`
1973447 - ovn-dbchecker peak memory spikes to ~500MiB during cluster-density run
1975826 - ovn-kubernetes host directed traffic cannot be offloaded as CT zone 64000 is not established
1976301 - [ci] e2e-azure-upi is permafailing
1976399 - During the upgrade from OpenShift 4.5 to OpenShift 4.6 the election timers for the OVN north and south databases did not change.
1976674 - CCO didn't set Upgradeable to False when cco mode is configured to Manual on azure platform
1976894 - Unidling a StatefulSet does not work as expected
1977319 - [Hive] Remove stale cruft installed by CVO in earlier releases
1977414 - Build Config timed out waiting for condition 400: Bad Request
1977929 - [RFE] Display Network Attachment Definitions from openshift-multus namespace during OCS deployment via UI using Multus
1978528 - systemd-coredump started and failed intermittently for unknown reasons
1978581 - machine-config-operator: remove runlevel from mco namespace
1979562 - Cluster operators: don't show messages when neither progressing, degraded or unavailable
1979962 - AWS SDN Network Stress tests have not passed in 4.9 release-openshift-origin-installer-e2e-aws-sdn-network-stress-4.9
1979966 - OCP builds always fail when run on RHEL7 nodes
1981396 - Deleting pool inside pool page the pool stays in Ready phase in the heading
1981549 - Machine-config daemon does not recover from broken Proxy configuration
1981867 - [sig-cli] oc explain should contain proper fields description for special types [Suite:openshift/conformance/parallel]
1981941 - Terraform upgrade required in openshift-installer to resolve multiple issues
1982063 - 'Control Plane' is not translated in Simplified Chinese language in Home->Overview page
1982498 - Default registry credential path should be adjusted to use containers/auth.json for oc commands
1982662 - Workloads - DaemonSets - Add storage: i18n misses
1982726 - kube-apiserver audit logs show a lot of 404 errors for DELETE "*/secrets/encryption-config" on single node clusters
1983758 - upgrades are failing on disruptive tests
1983964 - Need Device plugin configuration for the NIC "needVhostNet" & "isRdma"
1984592 - global pull secret not working in OCP4.7.4+ for additional private registries
1985073 - new-in-4.8 ExtremelyHighIndividualControlPlaneCPU fires on some GCP update jobs
1985486 - Cluster Proxy not used during installation on OSP with Kuryr
1985724 - VM Details Page missing translations
1985838 - [OVN] CNO exportNetworkFlows does not clear collectors when deleted
1985933 - Downstream image registry recommendation
1985965 - oVirt CSI driver does not report volume stats
1986216 - [scale] SNO: Slow Pod recovery due to "timed out waiting for OVS port binding"
1986237 - "MachineNotYetDeleted" in Pending state , alert not fired
1986239 - crictl create fails with "PID namespace requested, but sandbox infra container invalid"
1986302 - console continues to fetch prometheus alert and silences for normal user
1986314 - Current MTV installation for KubeVirt import flow creates unusable Forklift UI
1986338 - error creating list of resources in Import YAML
1986502 - yaml multi file dnd duplicates previous dragged files
1986819 - fix string typos for hot-plug disks
1987044 - [OCPV48] Shutoff VM is being shown as "Starting" in WebUI when using spec.runStrategy Manual/RerunOnFailure
1987136 - Declare operatorframework.io/arch.* labels for all operators
1987257 - Go-http-client user-agent being used for oc adm mirror requests
1987263 - fsSpaceFillingUpWarningThreshold not aligned to Kubernetes Garbage Collection Threshold
1987445 - MetalLB integration: All gateway routers in the cluster answer ARP requests for LoadBalancer services IP
1988406 - SSH key dropped when selecting "Customize virtual machine" in UI
1988440 - Network operator changes ovnkube-config too early causing ovnkube-master pods to crashloop during cluster upgrade
1988483 - Azure drop ICMP need to frag FRAG when using OVN: openshift-apiserver becomes False after env runs some time due to communication between one master to pods on another master fails with "Unable to connect to the server"
1988879 - Virtual media based deployment fails on Dell servers due to pending Lifecycle Controller jobs
1989438 - expected replicas is wrong
1989502 - Developer Catalog is disappearing after short time
1989843 - 'More' and 'Show Less' functions are not translated on several page
1990014 - oc debug <pod-name> does not work for Windows pods
1990190 - e2e testing failed with basic manifest: reason/ExternalProvisioning waiting for a volume to be created
1990193 - 'more' and 'Show Less' is not being translated on Home -> Search page
1990255 - Partial or all of the Nodes/StorageClasses don't appear back on UI after text is removed from search bar
1990489 - etcdHighNumberOfFailedGRPCRequests fires only on metal env in CI
1990506 - Missing udev rules in initramfs for /dev/disk/by-id/scsi-* symlinks
1990556 - get-resources.sh doesn't honor the no_proxy settings even with no_proxy var
1990625 - Ironic agent registers with SLAAC address with privacy-stable
1990635 - CVO does not recognize the channel change if desired version and channel changed at the same time
1991067 - github.com can not be resolved inside pods where cluster is running on openstack.
1991573 - Enable typescript strictNullCheck on network-policies files
1991641 - Baremetal Cluster Operator still Available After Delete Provisioning
1991770 - The logLevel and operatorLogLevel values do not work with Cloud Credential Operator
1991819 - Misspelled word "ocurred" in oc inspect cmd
1991942 - Alignment and spacing fixes
1992414 - Two rootdisks show on storage step if 'This is a CD-ROM boot source' is checked
1992453 - The configMap failed to save on VM environment tab
1992466 - The button 'Save' and 'Reload' are not translated on vm environment tab
1992475 - The button 'Open console in New Window' and 'Disconnect' are not translated on vm console tab
1992509 - Could not customize boot source due to source PVC not found
1992541 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines
1992580 - storageProfile should stay with the same value by check/uncheck the apply button
1992592 - list-type missing in oauth.config.openshift.io for identityProviders breaking Server Side Apply
1992777 - [IBMCLOUD] Default "ibm_iam_authorization_policy" is not working as expected in all scenarios
1993364 - cluster destruction fails to remove router in BYON with Kuryr as primary network (even after BZ 1940159 got fixed)
1993376 - periodic-ci-openshift-release-master-ci-4.6-upgrade-from-stable-4.5-e2e-azure-upgrade is permfailing
1994094 - Some hardcodes are detected at the code level in OpenShift console components
1994142 - Missing required cloud config fields for IBM Cloud
1994733 - MetalLB: IP address is not assigned to service if there is duplicate IP address in two address pools
1995021 - resolv.conf and corefile sync slows down/stops after keepalived container restart
1995335 - [SCALE] ovnkube CNI: remove ovs flows check
1995493 - Add Secret to workload button and Actions button are not aligned on secret details page
1995531 - Create RDO-based Ironic image to be promoted to OKD
1995545 - Project drop-down amalgamates inside main screen while creating storage system for odf-operator
1995887 - [OVN]After reboot egress node, lr-policy-list was not correct, some duplicate records or missed internal IPs
1995924 - CMO should report `Upgradeable: false` when HA workload is incorrectly spread
1996023 - kubernetes.io/hostname values are larger than filter when create localvolumeset from webconsole
1996108 - Allow backwards compatibility of shared gateway mode to inject host-based routes into OVN
1996624 - 100% of the cco-metrics/cco-metrics targets in openshift-cloud-credential-operator namespace are down
1996630 - Fail to delete the first Authorized SSH Key input box on Advanced page
1996647 - Provide more useful degraded message in auth operator on DNS errors
1996736 - Large number of 501 lr-policies in INCI2 env
1996886 - timedout waiting for flows during pod creation and ovn-controller pegged on worker nodes
1996916 - Special Resource Operator(SRO) - Fail to deploy simple-kmod on GCP
1996928 - Enable default operator indexes on ARM
1997028 - prometheus-operator update removes env var support for thanos-sidecar
1997059 - Failed to create cluster in AWS us-east-1 region due to a local zone is used
1997226 - Ingresscontroller reconcilations failing but not shown in operator logs or status of ingresscontroller.
1997245 - "Subscription already exists in openshift-storage namespace" error message is seen while installing odf-operator via UI
1997269 - Have to refresh console to install kube-descheduler
1997478 - Storage operator is not available after reboot cluster instances
1997509 - flake: [sig-cli] oc builds new-build [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
1997967 - storageClass is not reserved from default wizard to customize wizard
1998035 - openstack IPI CI: custom var-lib-etcd.mount (ramdisk) unit is racing due to incomplete After/Before order
1998038 - [e2e][automation] add tests for UI for VM disk hot-plug
1998087 - Fix CephHealthCheck wrapping contents and add data-tests for HealthItem and SecondaryStatus
1998174 - Create storageclass gp3-csi after install ocp cluster on aws
1998183 - "r: Bad Gateway" info is improper
1998235 - Firefox warning: Cookie “csrf-token” will be soon rejected
1998377 - Filesystem table head is not full displayed in disk tab
1998378 - Virtual Machine is 'Not available' in Home -> Overview -> Cluster inventory
1998519 - Add fstype when create localvolumeset instance on web console
1998951 - Keepalived conf ingress peer on in Dual stack cluster contains both IPv6 and IPv4 addresses
1999076 - [UI] Page Not Found error when clicking on Storage link provided in Overview page
1999079 - creating pods before sriovnetworknodepolicy sync up succeed will cause node unschedulable
1999091 - Console update toast notification can appear multiple times
1999133 - removing and recreating static pod manifest leaves pod in error state
1999246 - .indexignore is not ingore when oc command load dc configuration
1999250 - ArgoCD in GitOps operator can't manage namespaces
1999255 - ovnkube-node always crashes out the first time it starts
1999261 - ovnkube-node log spam (and security token leak?)
1999309 - While installing odf-operator via UI, web console update pop-up navigates to OperatorHub -> Operator Installation page
1999314 - console-operator is slow to mark Degraded as False once console starts working
1999425 - kube-apiserver with "[SHOULD NOT HAPPEN] failed to update managedFields" err="failed to convert new object (machine.openshift.io/v1beta1, Kind=MachineHealthCheck)
1999556 - "master" pool should be updated before the CVO reports available at the new version occurred
1999578 - AWS EFS CSI tests are constantly failing
1999603 - Memory Manager allows Guaranteed QoS Pod with hugepages requested is exactly equal to the left over Hugepages
1999619 - cloudinit is malformatted if a user sets a password during VM creation flow
1999621 - Empty ssh_authorized_keys entry is added to VM's cloudinit if created from a customize flow
1999649 - MetalLB: Only one type of IP address can be assigned to service on dual stack cluster from a address pool that have both IPv4 and IPv6 addresses defined
1999668 - openshift-install destroy cluster panic's when given invalid credentials to cloud provider (Azure Stack Hub)
1999734 - IBM Cloud CIS Instance CRN missing in infrastructure manifest/resource
1999771 - revert "force cert rotation every couple days for development" in 4.10
1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function
1999796 - Openshift Console `Helm` tab is not showing helm releases in a namespace when there is high number of deployments in the same namespace.
1999836 - Admin web-console inconsistent status summary of sparse ClusterOperator conditions
1999903 - Click "This is a CD-ROM boot source" ticking "Use template size PVC" on pvc upload form
1999983 - No way to clear upload error from template boot source
2000081 - [IPI baremetal] The metal3 pod failed to restart when switching from Disabled to Managed provisioning without specifying provisioningInterface parameter
2000096 - Git URL is not re-validated on edit build-config form reload
2000216 - Successfully imported ImageStreams are not resolved in DeploymentConfig
2000236 - Confusing usage message from dynkeepalived CLI
2000268 - Mark cluster unupgradable if vcenter, esxi versions or HW versions are unsupported
2000430 - bump cluster-api-provider-ovirt version in installer
2000450 - 4.10: Enable static PV multi-az test
2000490 - All critical alerts shipped by CMO should have links to a runbook
2000521 - Kube-apiserver CO degraded due to failed conditional check (ConfigObservationDegraded)
2000573 - Incorrect StorageCluster CR created and ODF cluster getting installed with 2 Zone OCP cluster
2000628 - ibm-flashsystem-storage-storagesystem got created without any warning even when the attempt was cancelled
2000651 - ImageStreamTag alias results in wrong tag and invalid link in Web Console
2000754 - IPerf2 tests should be lower
2000846 - Structure logs in the entire codebase of Local Storage Operator
2000872 - [tracker] container is not able to list on some directories within the nfs after upgrade to 4.7.24
2000877 - OCP ignores STOPSIGNAL in Dockerfile and sends SIGTERM
2000938 - CVO does not respect changes to a Deployment strategy
2000963 - 'Inline-volume (default fs)] volumes should store data' tests are failing on OKD with updated selinux-policy
2001008 - [MachineSets] CloneMode defaults to linkedClone, but I don't have snapshot and should be fullClone
2001240 - Remove response headers for downloads of binaries from OpenShift WebConsole
2001295 - Remove openshift:kubevirt-machine-controllers decleration from machine-api
2001317 - OCP Platform Quota Check - Inaccurate MissingQuota error
2001337 - Details Card in ODF Dashboard mentions OCS
2001339 - fix text content hotplug
2001413 - [e2e][automation] add/delete nic and disk to template
2001441 - Test: oc adm must-gather runs successfully for audit logs - fail due to startup log
2001442 - Empty termination.log file for the kube-apiserver has too permissive mode
2001479 - IBM Cloud DNS unable to create/update records
2001566 - Enable alerts for prometheus operator in UWM
2001575 - Clicking on the perspective switcher shows a white page with loader
2001577 - Quick search placeholder is not displayed properly when the search string is removed
2001578 - [e2e][automation] add tests for vm dashboard tab
2001605 - PVs remain in Released state for a long time after the claim is deleted
2001617 - BucketClass Creation is restricted on 1st page but enabled using side navigation options
2001620 - Cluster becomes degraded if it can't talk to Manila
2001760 - While creating 'Backing Store', 'Bucket Class', 'Namespace Store' user is navigated to 'Installed Operators' page after clicking on ODF
2001761 - Unable to apply cluster operator storage for SNO on GCP platform.
2001765 - Some error message in the log of diskmaker-manager caused confusion
2001784 - show loading page before final results instead of showing a transient message No log files exist
2001804 - Reload feature on Environment section in Build Config form does not work properly
2001810 - cluster admin unable to view BuildConfigs in all namespaces
2001817 - Failed to load RoleBindings list that will lead to ‘Role name’ is not able to be selected on Create RoleBinding page as well
2001823 - OCM controller must update operator status
2001825 - [SNO]ingress/authentication clusteroperator degraded when enable ccm from start
2001835 - Could not select image tag version when create app from dev console
2001855 - Add capacity is disabled for ocs-storagecluster
2001856 - Repeating event: MissingVersion no image found for operand pod
2001959 - Side nav list borders don't extend to edges of container
2002007 - Layout issue on "Something went wrong" page
2002010 - ovn-kube may never attempt to retry a pod creation
2002012 - Cannot change volume mode when cloning a VM from a template
2002027 - Two instances of Dotnet helm chart show as one in topology
2002075 - opm render does not automatically pulling in the image(s) used in the deployments
2002121 - [OVN] upgrades failed for IPI OSP16 OVN IPSec cluster
2002125 - Network policy details page heading should be updated to Network Policy details
2002133 - [e2e][automation] add support/virtualization and improve deleteResource
2002134 - [e2e][automation] add test to verify vm details tab
2002215 - Multipath day1 not working on s390x
2002238 - Image stream tag is not persisted when switching from yaml to form editor
2002262 - [vSphere] Incorrect user agent in vCenter sessions list
2002266 - SinkBinding create form doesn't allow to use subject name, instead of label selector
2002276 - OLM fails to upgrade operators immediately
2002300 - Altering the Schedule Profile configurations doesn't affect the placement of the pods
2002354 - Missing DU configuration "Done" status reporting during ZTP flow
2002362 - Dynamic Plugin - ConsoleRemotePlugin for webpack doesn't use commonjs
2002368 - samples should not go degraded when image allowedRegistries blocks imagestream creation
2002372 - Pod creation failed due to mismatched pod IP address in CNI and OVN
2002397 - Resources search is inconsistent
2002434 - CRI-O leaks some children PIDs
2002443 - Getting undefined error on create local volume set page
2002461 - DNS operator performs spurious updates in response to API's defaulting of service's internalTrafficPolicy
2002504 - When the openshift-cluster-storage-operator is degraded because of "VSphereProblemDetectorController_SyncError", the insights operator is not sending the logs from all pods.
2002559 - User preference for topology list view does not follow when a new namespace is created
2002567 - Upstream SR-IOV worker doc has broken links
2002588 - Change text to be sentence case to align with PF
2002657 - ovn-kube egress IP monitoring is using a random port over the node network
2002713 - CNO: OVN logs should have millisecond resolution
2002748 - [ICNI2] 'ErrorAddingLogicalPort' failed to handle external GW check: timeout waiting for namespace event
2002759 - Custom profile should not allow not including at least one required HTTP2 ciphersuite
2002763 - Two storage systems getting created with external mode RHCS
2002808 - KCM does not use web identity credentials
2002834 - Cluster-version operator does not remove unrecognized volume mounts
2002896 - Incorrect result return when user filter data by name on search page
2002950 - Why spec.containers.command is not created with "oc create deploymentconfig <dc-name> --image=<image> -- <command>"
2003096 - [e2e][automation] check bootsource URL is displaying on review step
2003113 - OpenShift Baremetal IPI installer uses first three defined nodes under hosts in install-config for master nodes instead of filtering the hosts with the master role
2003120 - CI: Uncaught error with ResizeObserver on operand details page
2003145 - Duplicate operand tab titles causes "two children with the same key" warning
2003164 - OLM, fatal error: concurrent map writes
2003178 - [FLAKE][knative] The UI doesn't show updated traffic distribution after accepting the form
2003193 - Kubelet/crio leaks netns and veth ports in the host
2003195 - OVN CNI should ensure host veths are removed
2003204 - Jenkins all new container images (openshift4/ose-jenkins) not supporting '-e JENKINS_PASSWORD=password' ENV which was working for old container images
2003206 - Namespace stuck terminating: Failed to delete all resource types, 1 remaining: unexpected items still remain in namespace
2003239 - "[sig-builds][Feature:Builds][Slow] can use private repositories as build input" tests fail outside of CI
2003244 - Revert libovsdb client code
2003251 - Patternfly components with list element has list item bullet when they should not.
2003252 - "[sig-builds][Feature:Builds][Slow] starting a build using CLI start-build test context override environment BUILD_LOGLEVEL in buildconfig" tests do not work as expected outside of CI
2003269 - Rejected pods should be filtered from admission regression
2003357 - QE- Removing the epic tags for gherkin tags related to 4.9 Release
2003426 - [e2e][automation] add test for vm details bootorder
2003496 - [e2e][automation] add test for vm resources requirment settings
2003641 - All metal ipi jobs are failing in 4.10
2003651 - ODF4.9+LSO4.8 installation via UI, StorageCluster move to error state
2003655 - [IPI ON-PREM] Keepalived chk_default_ingress track script failed even though default router pod runs on node
2003683 - Samples operator is panicking in CI
2003711 - [UI] Empty file ceph-external-cluster-details-exporter.py downloaded from external cluster "Connection Details" page
2003715 - Error on creating local volume set after selection of the volume mode
2003743 - Remove workaround keeping /boot RW for kdump support
2003775 - etcd pod on CrashLoopBackOff after master replacement procedure
2003788 - CSR reconciler report error constantly when BYOH CSR approved by other Approver
2003792 - Monitoring metrics query graph flyover panel is useless
2003808 - Add Sprint 207 translations
2003845 - Project admin cannot access image vulnerabilities view
2003859 - sdn emits events with garbage messages
2003896 - (release-4.10) ApiRequestCounts conditional gatherer
2004009 - 4.10: Fix multi-az zone scheduling e2e for 5 control plane replicas
2004051 - CMO can report as being Degraded while node-exporter is deployed on all nodes
2004059 - [e2e][automation] fix current tests for downstream
2004060 - Trying to use basic spring boot sample causes crash on Firefox
2004101 - [UI] When creating storageSystem deployment type dropdown under advanced setting doesn't close after selection
2004127 - [flake] openshift-controller-manager event reason/SuccessfulDelete occurs too frequently
2004203 - build config's created prior to 4.8 with image change triggers can result in trigger storm in OCM/openshift-apiserver
2004313 - [RHOCP 4.9.0-rc.0] Failing to deploy Azure cluster from the macOS installer - ignition_bootstrap.ign: no such file or directory
2004449 - Boot option recovery menu prevents image boot
2004451 - The backup filename displayed in the RecentBackup message is incorrect
2004459 - QE - Modified the AddFlow gherkin scripts and automation scripts
2004508 - TuneD issues with the recent ConfigParser changes.
2004510 - openshift-gitops operator hooks gets unauthorized (401) errors during jobs executions
2004542 - [osp][octavia lb] cannot create LoadBalancer type svcs
2004578 - Monitoring and node labels missing for an external storage platform
2004585 - prometheus-k8s-0 cpu usage keeps increasing for the first 3 days
2004596 - [4.10] Bootimage bump tracker
2004597 - Duplicate ramdisk log containers running
2004600 - Duplicate ramdisk log containers running
2004609 - output of "crictl inspectp" is not complete
2004625 - BMC credentials could be logged if they change
2004632 - When LE takes a large amount of time, multiple whereabouts are seen
2004721 - ptp/worker custom threshold doesn't change ptp events threshold
2004736 - [knative] Create button on new Broker form is inactive despite form being filled
2004796 - [e2e][automation] add test for vm scheduling policy
2004814 - (release-4.10) OCM controller - change type of the etc-pki-entitlement secret to opaque
2004870 - [External Mode] Insufficient spacing along y-axis in RGW Latency Performance Card
2004901 - [e2e][automation] improve kubevirt devconsole tests
2004962 - Console frontend job consuming too much CPU in CI
2005014 - state of ODF StorageSystem is misreported during installation or uninstallation
2005052 - Adding a MachineSet selector matchLabel causes orphaned Machines
2005179 - pods status filter is not taking effect
2005182 - sync list of deprecated apis about to be removed
2005282 - Storage cluster name is given as title in StorageSystem details page
2005355 - setuptools 58 makes Kuryr CI fail
2005407 - ClusterNotUpgradeable Alert should be set to Severity Info
2005415 - PTP operator with sidecar api configured throws bind: address already in use
2005507 - SNO spoke cluster failing to reach coreos.live.rootfs_url is missing url in console
2005554 - The switch status of the button "Show default project" is not revealed correctly in code
2005581 - 4.8.12 to 4.9 upgrade hung due to cluster-version-operator pod CrashLoopBackOff: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2005761 - QE - Implementing crw-basic feature file
2005783 - Fix accessibility issues in the "Internal" and "Internal - Attached Mode" Installation Flow
2005811 - vSphere Problem Detector operator - ServerFaultCode: InvalidProperty
2005854 - SSH NodePort service is created for each VM
2005901 - KS, KCM and KA going Degraded during master nodes upgrade
2005902 - Current UI flow for MCG only deployment is confusing and doesn't reciprocate any message to the end-user
2005926 - PTP operator NodeOutOfPTPSync rule is using max offset from the master instead of openshift_ptp_clock_state metrics
2005971 - Change telemeter to report the Application Services product usage metrics
2005997 - SELinux domain container_logreader_t does not have a policy to follow sym links for log files
2006025 - Description to use an existing StorageClass while creating StorageSystem needs to be re-phrased
2006060 - ocs-storagecluster-storagesystem details are missing on UI for MCG Only and MCG only in LSO mode deployment types
2006101 - Power off fails for drivers that don't support Soft power off
2006243 - Metal IPI upgrade jobs are running out of disk space
2006291 - bootstrapProvisioningIP set incorrectly when provisioningNetworkCIDR doesn't use the 0th address
2006308 - Backing Store YAML tab on click displays a blank screen on UI
2006325 - Multicast is broken across nodes
2006329 - Console only allows Web Terminal Operator to be installed in OpenShift Operators
2006364 - IBM Cloud: Set resourceGroupId for resourceGroups, not simply resource
2006561 - [sig-instrumentation] Prometheus when installed on the cluster shouldn't have failing rules evaluation [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
2006690 - OS boot failure "x64 Exception Type 06 - Invalid Opcode Exception"
2006714 - add retry for etcd errors in kube-apiserver
2006767 - KubePodCrashLooping may not fire
2006803 - Set CoreDNS cache entries for forwarded zones
2006861 - Add Sprint 207 part 2 translations
2006945 - race condition can cause crashlooping bootstrap kube-apiserver in cluster-bootstrap
2006947 - e2e-aws-proxy for 4.10 is permafailing with samples operator errors
2006975 - clusteroperator/etcd status condition should not change reasons frequently due to EtcdEndpointsDegraded
2007085 - Intermittent failure mounting /run/media/iso when booting live ISO from USB stick
2007136 - Creation of BackingStore, BucketClass, NamespaceStore fails
2007271 - CI Integration for Knative test cases
2007289 - kubevirt tests are failing in CI
2007322 - Devfile/Dockerfile import does not work for unsupported git host
2007328 - Updated patternfly to v4.125.3 and pf.quickstarts to v1.2.3.
2007379 - Events are not generated for master offset for ordinary clock
2007443 - [ICNI 2.0] Loadbalancer pods do not establish BFD sessions with all workers that host pods for the routed namespace
2007455 - cluster-etcd-operator: render command should fail if machineCidr contains reserved address
2007495 - Large label value for the metric kubelet_started_pods_errors_total with label message when there is a error
2007522 - No new local-storage-operator-metadata-container is build for 4.10
2007551 - No new ose-aws-efs-csi-driver-operator-bundle-container is build for 4.10
2007580 - Azure cilium installs are failing e2e tests
2007581 - Too many haproxy processes in default-router pod causing high load average after upgrade from v4.8.3 to v4.8.10
2007677 - Regression: core container io performance metrics are missing for pod, qos, and system slices on nodes
2007692 - 4.9 "old-rhcos" jobs are permafailing with storage test failures
2007710 - ci/prow/e2e-agnostic-cmd job is failing on prow
2007757 - must-gather extracts imagestreams in the "openshift" namespace, but not Templates
2007802 - AWS machine actuator get stuck if machine is completely missing
2008096 - TestAWSFinalizerDeleteS3Bucket sometimes fails to teardown operator
2008119 - The serviceAccountIssuer field on Authentication CR is reseted to “” when installation process
2008151 - Topology breaks on clicking in empty state
2008185 - Console operator go.mod should use go 1.16.version
2008201 - openstack-az job is failing on haproxy idle test
2008207 - vsphere CSI driver doesn't set resource limits
2008223 - gather_audit_logs: fix oc command line to get the current audit profile
2008235 - The Save button in the Edit DC form remains disabled
2008256 - Update Internationalization README with scope info
2008321 - Add correct documentation link for MON_DISK_LOW
2008462 - Disable PodSecurity feature gate for 4.10
2008490 - Backing store details page does not contain all the kebab actions.
2008521 - gcp-hostname service should correct invalid search entries in resolv.conf
2008532 - CreateContainerConfigError:: failed to prepare subPath for volumeMount
2008539 - Registry doesn't fall back to secondary ImageContentSourcePolicy Mirror
2008540 - HighlyAvailableWorkloadIncorrectlySpread always fires on upgrade on cluster with two workers
2008599 - Azure Stack UPI does not have Internal Load Balancer
2008612 - Plugin asset proxy does not pass through browser cache headers
2008712 - VPA webhook timeout prevents all pods from starting
2008733 - kube-scheduler: exposed /debug/pprof port
2008911 - Prometheus repeatedly scaling prometheus-operator replica set
2008926 - [sig-api-machinery] API data in etcd should be stored at the correct location and version for all resources [Serial] [Suite:openshift/conformance/serial]
2008987 - OpenShift SDN Hosted Egress IP's are not being scheduled to nodes after upgrade to 4.8.12
2009055 - Instances of OCS to be replaced with ODF on UI
2009078 - NetworkPodsCrashLooping alerts in upgrade CI jobs
2009083 - opm blocks pruning of existing bundles during add
2009111 - [IPI-on-GCP] 'Install a cluster with nested virtualization enabled' failed due to unable to launch compute instances
2009131 - [e2e][automation] add more test about vmi
2009148 - [e2e][automation] test vm nic presets and options
2009233 - ACM policy object generated by PolicyGen conflicting with OLM Operator
2009253 - [BM] [IPI] [DualStack] apiVIP and ingressVIP should be of the same primary IP family
2009298 - Service created for VM SSH access is not owned by the VM and thus is not deleted if the VM is deleted
2009384 - UI changes to support BindableKinds CRD changes
2009404 - ovnkube-node pod enters CrashLoopBackOff after OVN_IMAGE is swapped
2009424 - Deployment upgrade is failing availability check
2009454 - Change web terminal subscription permissions from get to list
2009465 - container-selinux should come from rhel8-appstream
2009514 - Bump OVS to 2.16-15
2009555 - Supermicro X11 system not booting from vMedia with AI
2009623 - Console: Observe > Metrics page: Table pagination menu shows bullet points
2009664 - Git Import: Edit of knative service doesn't work as expected for git import flow
2009699 - Failure to validate flavor RAM
2009754 - Footer is not sticky anymore in import forms
2009785 - CRI-O's version file should be pinned by MCO
2009791 - Installer: ibmcloud ignores install-config values
2009823 - [sig-arch] events should not repeat pathologically - reason/VSphereOlderVersionDetected Marking cluster un-upgradeable because one or more VMs are on hardware version vmx-13
2009840 - cannot build extensions on aarch64 because of unavailability of rhel-8-advanced-virt repo
2009859 - Large number of sessions created by vmware-vsphere-csi-driver-operator during e2e tests
2009873 - Stale Logical Router Policies and Annotations for a given node
2009879 - There should be test-suite coverage to ensure admin-acks work as expected
2009888 - SRO package name collision between official and community version
2010073 - uninstalling and then reinstalling sriov-network-operator is not working
2010174 - 2 PVs get created unexpectedly with different paths that actually refer to the same device on the node.
2010181 - Environment variables not getting reset on reload on deployment edit form
2010310 - [sig-instrumentation][Late] OpenShift alerting rules should have description and summary annotations [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
2010341 - OpenShift Alerting Rules Style-Guide Compliance
2010342 - Local console builds can have out of memory errors
2010345 - OpenShift Alerting Rules Style-Guide Compliance
2010348 - Reverts PIE build mode for K8S components
2010352 - OpenShift Alerting Rules Style-Guide Compliance
2010354 - OpenShift Alerting Rules Style-Guide Compliance
2010359 - OpenShift Alerting Rules Style-Guide Compliance
2010368 - OpenShift Alerting Rules Style-Guide Compliance
2010376 - OpenShift Alerting Rules Style-Guide Compliance
2010662 - Cluster is unhealthy after image-registry-operator tests
2010663 - OpenShift Alerting Rules Style-Guide Compliance (ovn-kubernetes subcomponent)
2010665 - Bootkube tries to use oc after cluster bootstrap is done and there is no API
2010698 - [BM] [IPI] [Dual Stack] Installer must ensure ipv6 short forms too if clusterprovisioning IP is specified as ipv6 address
2010719 - etcdHighNumberOfFailedGRPCRequests runbook is missing
2010864 - Failure building EFS operator
2010910 - ptp worker events unable to identify interface for multiple interfaces
2010911 - RenderOperatingSystem() returns wrong OS version on OCP 4.7.24
2010921 - Azure Stack Hub does not handle additionalTrustBundle
2010931 - SRO CSV uses non default category "Drivers and plugins"
2010946 - concurrent CRD from ovirt-csi-driver-operator gets reconciled by CVO after deployment, changing CR as well.
2011038 - optional operator conditions are confusing
2011063 - CVE-2021-39226 grafana: Snapshot authentication bypass
2011171 - diskmaker-manager constantly redeployed by LSO when creating LV's
2011293 - Build pod are not pulling images if we are not explicitly giving the registry name with the image
2011368 - Tooltip in pipeline visualization shows misleading data
2011386 - [sig-arch] Check if alerts are firing during or after upgrade success --- alert KubePodNotReady fired for 60 seconds with labels
2011411 - Managed Service's Cluster overview page contains link to missing Storage dashboards
2011443 - Cypress tests assuming Admin Perspective could fail on shared/reference cluster
2011513 - Kubelet rejects pods that use resources that should be freed by completed pods
2011668 - Machine stuck in deleting phase in VMware "reconciler failed to Delete machine"
2011693 - (release-4.10) "insightsclient_request_recvreport_total" metric is always incremented
2011698 - After upgrading cluster to 4.8 the kube-state-metrics service doesn't export namespace labels anymore
2011733 - Repository README points to broken documentarion link
2011753 - Ironic resumes clean before raid configuration job is actually completed
2011809 - The nodes page in the openshift console doesn't work. You just get a blank page
2011822 - Obfuscation doesn't work at clusters with OVN
2011882 - SRO helm charts not synced with templates
2011893 - Validation: BMC driver ipmi is not supported for secure UEFI boot
2011896 - [4.10] ClusterVersion Upgradeable=False MultipleReasons should include all messages
2011903 - vsphere-problem-detector: session leak
2011927 - OLM should allow users to specify a proxy for GRPC connections
2011956 - [tracker] Kubelet rejects pods that use resources that should be freed by completed pods
2011960 - [tracker] Storage operator is not available after reboot cluster instances
2011971 - ICNI2 pods are stuck in ContainerCreating state
2011972 - Ingress operator not creating wildcard route for hypershift clusters
2011977 - SRO bundle references non-existent image
2012069 - Refactoring Status controller
2012177 - [OCP 4.9 + OCS 4.8.3] Overview tab is missing under Storage after successful deployment on UI
2012228 - ibmcloud: credentialsrequests invalid for machine-api-operator: resource-group
2012233 - [IBMCLOUD] IPI: "Exceeded limit of remote rules per security group (the limit is 5 remote rules per security group)"
2012235 - [IBMCLOUD] IPI: IBM cloud provider requires ResourceGroupName in cloudproviderconfig
2012317 - Dynamic Plugins: ListPageCreateDropdown items cut off
2012407 - [e2e][automation] improve vm tab console tests
2012426 - ThanosSidecarBucketOperationsFailed/ThanosSidecarUnhealthy alerts don't have namespace label
2012562 - migration condition is not detected in list view
2012770 - when using expression metric openshift_apps_deploymentconfigs_last_failed_rollout_time namespace label is re-written
2012780 - The port 50936 used by haproxy is occupied by kube-apiserver
2012838 - Setting the default maximum container root partition size for Overlay with CRI-O stop working
2012902 - Neutron Ports assigned to Completed Pods are not reused Edit
2012915 - kube_persistentvolumeclaim_labels and kube_persistentvolume_labels are missing in OCP 4.8 monitoring stack
2012971 - Disable operands deletes
2013034 - Cannot install to openshift-nmstate namespace
2013127 - OperatorHub links could not be opened in a new tabs (sharing and open a deep link works fine)
2013199 - post reboot of node SRIOV policy taking huge time
2013203 - UI breaks when trying to create block pool before storage cluster/system creation
2013222 - Full breakage for nightly payload promotion
2013273 - Nil pointer exception when phc2sys options are missing
2013321 - TuneD: high CPU utilization of the TuneD daemon.
2013416 - Multiple assets emit different content to the same filename
2013431 - Application selector dropdown has incorrect font-size and positioning
2013528 - mapi_current_pending_csr is always set to 1 on OpenShift Container Platform 4.8
2013545 - Service binding created outside topology is not visible
2013599 - Scorecard support storage is not included in ocp4.9
2013632 - Correction/Changes in Quick Start Guides for ODF 4.9 (Install ODF guide)
2013646 - fsync controller will show false positive if gaps in metrics are observed.
2013710 - ZTP Operator subscriptions for 4.9 release branch should point to 4.9 by default
2013751 - Service details page is showing wrong in-cluster hostname
2013787 - There are two tittle 'Network Attachment Definition Details' on NAD details page
2013871 - Resource table headings are not aligned with their column data
2013895 - Cannot enable accelerated network via MachineSets on Azure
2013920 - "--collector.filesystem.ignored-mount-points is DEPRECATED and will be removed in 2.0.0, use --collector.filesystem.mount-points-exclude"
2013930 - Create Buttons enabled for Bucket Class, Backingstore and Namespace Store in the absence of Storagesystem(or MCG)
2013969 - oVIrt CSI driver fails on creating PVCs on hosted engine storage domain
2013990 - Observe dashboard crashs on reload when perspective has changed (in another tab)
2013996 - Project detail page: Action "Delete Project" does nothing for the default project
2014071 - Payload imagestream new tags not properly updated during cluster upgrade
2014153 - SRIOV exclusive pooling
2014202 - [OCP-4.8.10] OVN-Kubernetes: service IP is not responding when egressIP set to the namespace
2014238 - AWS console test is failing on importing duplicate YAML definitions
2014245 - Several aria-labels, external links, and labels aren't internationalized
2014248 - Several files aren't internationalized
2014352 - Could not filter out machine by using node name on machines page
2014464 - Unexpected spacing/padding below navigation groups in developer perspective
2014471 - Helm Release notes tab is not automatically open after installing a chart for other languages
2014486 - Integration Tests: OLM single namespace operator tests failing
2014488 - Custom operator cannot change orders of condition tables
2014497 - Regex slows down different forms and creates too much recursion errors in the log
2014538 - Kuryr controller crash looping on self._get_vip_port(loadbalancer).id 'NoneType' object has no attribute 'id'
2014614 - Metrics scraping requests should be assigned to exempt priority level
2014710 - TestIngressStatus test is broken on Azure
2014954 - The prometheus-k8s-{0,1} pods are CrashLoopBackoff repeatedly
2014995 - oc adm must-gather cannot gather audit logs with 'None' audit profile
2015115 - [RFE] PCI passthrough
2015133 - [IBMCLOUD] ServiceID API key credentials seems to be insufficient for ccoctl '--resource-group-name' parameter
2015154 - Support ports defined networks and primarySubnet
2015274 - Yarn dev fails after updates to dynamic plugin JSON schema logic
2015337 - 4.9.0 GA MetalLB operator image references need to be adjusted to match production
2015386 - Possibility to add labels to the built-in OCP alerts
2015395 - Table head on Affinity Rules modal is not fully expanded
2015416 - CI implementation for Topology plugin
2015418 - Project Filesystem query returns No datapoints found
2015420 - No vm resource in project view's inventory
2015422 - No conflict checking on snapshot name
2015472 - Form and YAML view switch button should have distinguishable status
2015481 - [4.10] sriov-network-operator daemon pods are failing to start
2015493 - Cloud Controller Manager Operator does not respect 'additionalTrustBundle' setting
2015496 - Storage - PersistentVolumes : Claim colum value 'No Claim' in English
2015498 - [UI] Add capacity when not applicable (for MCG only deployment and External mode cluster) fails to pass any info. to user and tries to just load a blank screen on 'Add Capacity' button click
2015506 - Home - Search - Resources - APIRequestCount : hard to select an item from ellipsis menu
2015515 - Kubelet checks all providers even if one is configured: NoCredentialProviders: no valid providers in chain.
2015535 - Administration - ResourceQuotas - ResourceQuota details: Inside Pie chart 'x% used' is in English
2015549 - Observe - Metrics: Column heading and pagination text is in English
2015557 - Workloads - DeploymentConfigs : Error message is in English
2015568 - Compute - Nodes : CPU column's values are in English
2015635 - Storage operator fails causing installation to fail on ASH
2015660 - "Finishing boot source customization" screen should not use term "patched"
2015793 - [hypershift] The collect-profiles job's pods should run on the control-plane node
2015806 - Metrics view in Deployment reports "Forbidden" when not cluster-admin
2015819 - Conmon sandbox processes run on non-reserved CPUs with workload partitioning
2015837 - OS_CLOUD overwrites install-config's platform.openstack.cloud
2015950 - update from 4.7.22 to 4.8.11 is failing due to large amount of secrets to watch
2015952 - RH CodeReady Workspaces Operator in e2e testing will soon fail
2016004 - [RFE] RHCOS: help determining whether a user-provided image was already booted (Ignition provisioning already performed)
2016008 - [4.10] Bootimage bump tracker
2016052 - No e2e CI presubmit configured for release component azure-file-csi-driver
2016053 - No e2e CI presubmit configured for release component azure-file-csi-driver-operator
2016054 - No e2e CI presubmit configured for release component cluster-autoscaler
2016055 - No e2e CI presubmit configured for release component console
2016058 - openshift-sync does not synchronise in "ose-jenkins:v4.8"
2016064 - No e2e CI presubmit configured for release component ibm-cloud-controller-manager
2016065 - No e2e CI presubmit configured for release component ibmcloud-machine-controllers
2016175 - Pods get stuck in ContainerCreating state when attaching volumes fails on SNO clusters.
2016179 - Add Sprint 208 translations
2016228 - Collect Profiles pprof secret is hardcoded to openshift-operator-lifecycle-manager
2016235 - should update to 7.5.11 for grafana resources version label
2016296 - Openshift virtualization : Create Windows Server 2019 VM using template : Fails
2016334 - shiftstack: SRIOV nic reported as not supported
2016352 - Some pods start before CA resources are present
2016367 - Empty task box is getting created for a pipeline without finally task
2016435 - Duplicate AlertmanagerClusterFailedToSendAlerts alerts
2016438 - Feature flag gating is missing in few extensions contributed via knative plugin
2016442 - OCPonRHV: pvc should be in Bound state and without error when choosing default sc
2016446 - [OVN-Kubernetes] Egress Networkpolicy is failing Intermittently for statefulsets
2016453 - Complete i18n for GaugeChart defaults
2016479 - iface-id-ver is not getting updated for existing lsp
2016925 - Dashboards with All filter, change to a specific value and change back to All, data will disappear
2016951 - dynamic actions list is not disabling "open console" for stopped vms
2016955 - m5.large instance type for bootstrap node is hardcoded causing deployments to fail if instance type is not available
2016988 - NTO does not set io_timeout and max_retries for AWS Nitro instances
2017016 - [REF] Virtualization menu
2017036 - [sig-network-edge][Feature:Idling] Unidling should handle many TCP connections fails in periodic-ci-openshift-release-master-ci-4.9-e2e-openstack-ovn
2017050 - Dynamic Plugins: Shared modules loaded multiple times, breaking use of PatternFly
2017130 - t is not a function error navigating to details page
2017141 - Project dropdown has a dynamic inline width added which can cause min-width issue
2017244 - ovirt csi operator static files creation is in the wrong order
2017276 - [4.10] Volume mounts not created with the correct security context
2017327 - When run opm index prune failed with error removing operator package cic-operator FOREIGN KEY constraint failed.
2017427 - NTO does not restart TuneD daemon when profile application is taking too long
2017535 - Broken Argo CD link image on GitOps Details Page
2017547 - Siteconfig application sync fails with The AgentClusterInstall is invalid: spec.provisionRequirements.controlPlaneAgents: Required value when updating images references
2017564 - On-prem prepender dispatcher script overwrites DNS search settings
2017565 - CCMO does not handle additionalTrustBundle on Azure Stack
2017566 - MetalLB: Web Console -Create Address pool form shows address pool name twice
2017606 - [e2e][automation] add test to verify send key for VNC console
2017650 - [OVN]EgressFirewall cannot be applied correctly if cluster has windows nodes
2017656 - VM IP address is "undefined" under VM details -> ssh field
2017663 - SSH password authentication is disabled when public key is not supplied
2017680 - [gcp] Couldn’t enable support for instances with GPUs on GCP
2017732 - [KMS] Prevent creation of encryption enabled storageclass without KMS connection set
2017752 - (release-4.10) obfuscate identity provider attributes in collected authentication.operator.openshift.io resource
2017756 - overlaySize setting on containerruntimeconfig is ignored due to cri-o defaults
2017761 - [e2e][automation] dummy bug for 4.9 test dependency
2017872 - Add Sprint 209 translations
2017874 - The installer is incorrectly checking the quota for X instances instead of G and VT instances
2017879 - Add Chinese translation for "alternate"
2017882 - multus: add handling of pod UIDs passed from runtime
2017909 - [ICNI 2.0] ovnkube-masters stop processing add/del events for pods
2018042 - HorizontalPodAutoscaler CPU averageValue did not show up in HPA metrics GUI
2018093 - Managed cluster should ensure control plane pods do not run in best-effort QoS
2018094 - the tooltip length is limited
2018152 - CNI pod is not restarted when It cannot start servers due to ports being used
2018208 - e2e-metal-ipi-ovn-ipv6 are failing 75% of the time
2018234 - user settings are saved in local storage instead of on cluster
2018264 - Delete Export button doesn't work in topology sidebar (general issue with unknown CSV?)
2018272 - Deployment managed by link and topology sidebar links to invalid resource page (at least for Exports)
2018275 - Topology graph doesn't show context menu for Export CSV
2018279 - Edit and Delete confirmation modals for managed resource should close when the managed resource is clicked
2018380 - Migrate docs links to access.redhat.com
2018413 - Error: context deadline exceeded, OCP 4.8.9
2018428 - PVC is deleted along with VM even with "Delete Disks" unchecked
2018445 - [e2e][automation] enhance tests for downstream
2018446 - [e2e][automation] move tests to different level
2018449 - [e2e][automation] add test about create/delete network attachment definition
2018490 - [4.10] Image provisioning fails with file name too long
2018495 - Fix typo in internationalization README
2018542 - Kernel upgrade does not reconcile DaemonSet
2018880 - Get 'No datapoints found.' when query metrics about alert rule KubeCPUQuotaOvercommit and KubeMemoryQuotaOvercommit
2018884 - QE - Adapt crw-basic feature file to OCP 4.9/4.10 changes
2018935 - go.sum not updated, that ART extracts version string from, WAS: Missing backport from 4.9 for Kube bump PR#950
2018965 - e2e-metal-ipi-upgrade is permafailing in 4.10
2018985 - The rootdisk size is 15Gi of windows VM in customize wizard
2019001 - AWS: Operator degraded (CredentialsFailing): 1 of 6 credentials requests are failing to sync.
2019096 - Update SRO leader election timeout to support SNO
2019129 - SRO in operator hub points to wrong repo for README
2019181 - Performance profile does not apply
2019198 - ptp offset metrics are not named according to the log output
2019219 - [IBMCLOUD]: cloud-provider-ibm missing IAM permissions in CCCMO CredentialRequest
2019284 - Stop action should not in the action list while VMI is not running
2019346 - zombie processes accumulation and Argument list too long
2019360 - [RFE] Virtualization Overview page
2019452 - Logger object in LSO appends to existing logger recursively
2019591 - Operator install modal body that scrolls has incorrect padding causing shadow position to be incorrect
2019634 - Pause and migration is enabled in action list for a user who has view only permission
2019636 - Actions in VM tabs should be disabled when user has view only permission
2019639 - "Take snapshot" should be disabled while VM image is still been importing
2019645 - Create button is not removed on "Virtual Machines" page for view only user
2019646 - Permission error should pop-up immediately while clicking "Create VM" button on template page for view only user
2019647 - "Remove favorite" and "Create new Template" should be disabled in template action list for view only user
2019717 - cant delete VM with un-owned pvc attached
2019722 - The shared-resource-csi-driver-node pod runs as “BestEffort” qosClass
2019739 - The shared-resource-csi-driver-node uses imagePullPolicy as "Always"
2019744 - [RFE] Suggest users to download newest RHEL 8 version
2019809 - [OVN][Upgrade] After upgrade to 4.7.34 ovnkube-master pods are in CrashLoopBackOff/ContainerCreating and other multiple issues at OVS/OVN level
2019827 - Display issue with top-level menu items running demo plugin
2019832 - 4.10 Nightlies blocked: Failed to upgrade authentication, operator was degraded
2019886 - Kuryr unable to finish ports recovery upon controller restart
2019948 - [RFE] Restructring Virtualization links
2019972 - The Nodes section doesn't display the csr of the nodes that are trying to join the cluster
2019977 - Installer doesn't validate region causing binary to hang with a 60 minute timeout
2019986 - Dynamic demo plugin fails to build
2019992 - instance:node_memory_utilisation:ratio metric is incorrect
2020001 - Update dockerfile for demo dynamic plugin to reflect dir change
2020003 - MCD does not regard "dangling" symlinks as a files, attempts to write through them on next backup, resulting in "not writing through dangling symlink" error and degradation.
2020107 - cluster-version-operator: remove runlevel from CVO namespace
2020153 - Creation of Windows high performance VM fails
2020216 - installer: Azure storage container blob where is stored bootstrap.ign file shouldn't be public
2020250 - Replacing deprecated ioutil
2020257 - Dynamic plugin with multiple webpack compilation passes may fail to build
2020275 - ClusterOperators link in console returns blank page during upgrades
2020377 - permissions error while using tcpdump option with must-gather
2020489 - coredns_dns metrics don't include the custom zone metrics data due to CoreDNS prometheus plugin is not defined
2020498 - "Show PromQL" button is disabled
2020625 - [AUTH-52] User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature
2020638 - [4.7] CI conformance test failures related to CustomResourcePublishOpenAPI
2020664 - DOWN subports are not cleaned up
2020904 - When trying to create a connection from the Developer view between VMs, it fails
2021016 - 'Prometheus Stats' of dashboard 'Prometheus Overview' miss data on console compared with Grafana
2021017 - 404 page not found error on knative eventing page
2021031 - QE - Fix the topology CI scripts
2021048 - [RFE] Added MAC Spoof check
2021053 - Metallb operator presented as community operator
2021067 - Extensive number of requests from storage version operator in cluster
2021081 - Missing PolicyGenTemplate for configuring Local Storage Operator LocalVolumes
2021135 - [azure-file-csi-driver] "make unit-test" returns non-zero code, but tests pass
2021141 - Cluster should allow a fast rollout of kube-apiserver is failing on single node
2021151 - Sometimes the DU node does not get the performance profile configuration applied and MachineConfigPool stays stuck in Updating
2021152 - imagePullPolicy is "Always" for ptp operator images
2021191 - Project admins should be able to list available network attachment defintions
2021205 - Invalid URL in git import form causes validation to not happen on URL change
2021322 - cluster-api-provider-azure should populate purchase plan information
2021337 - Dynamic Plugins: ResourceLink doesn't render when passed a groupVersionKind
2021364 - Installer requires invalid AWS permission s3:GetBucketReplication
2021400 - Bump documentationBaseURL to 4.10
2021405 - [e2e][automation] VM creation wizard Cloud Init editor
2021433 - "[sig-builds][Feature:Builds][pullsearch] docker build where the registry is not specified" test fail permanently on disconnected
2021466 - [e2e][automation] Windows guest tool mount
2021544 - OCP 4.6.44 - Ingress VIP assigned as secondary IP in ovs-if-br-ex and added to resolv.conf as nameserver
2021551 - Build is not recognizing the USER group from an s2i image
2021607 - Unable to run openshift-install with a vcenter hostname that begins with a numeric character
2021629 - api request counts for current hour are incorrect
2021632 - [UI] Clicking on odf-operator breadcrumb from StorageCluster details page displays empty page
2021693 - Modals assigned modal-lg class are no longer the correct width
2021724 - Observe > Dashboards: Graph lines are not visible when obscured by other lines
2021731 - CCO occasionally down, reporting networksecurity.googleapis.com API as disabled
2021936 - Kubelet version in RPMs should be using Dockerfile label instead of git tags
2022050 - [BM][IPI] Failed during bootstrap - unable to read client-key /var/lib/kubelet/pki/kubelet-client-current.pem
2022053 - dpdk application with vhost-net is not able to start
2022114 - Console logging every proxy request
2022144 - 1 of 3 ovnkube-master pods stuck in clbo after ipi bm deployment - dualstack (Intermittent)
2022251 - wait interval in case of a failed upload due to 403 is unnecessarily long
2022399 - MON_DISK_LOW troubleshooting guide link when clicked, gives 404 error .
2022447 - ServiceAccount in manifests conflicts with OLM
2022502 - Patternfly tables with a checkbox column are not displaying correctly because of conflicting css rules.
2022509 - getOverrideForManifest does not check manifest.GVK.Group
2022536 - WebScale: duplicate ecmp next hop error caused by multiple of the same gateway IPs in ovnkube cache
2022612 - no namespace field for "Kubernetes / Compute Resources / Namespace (Pods)" admin console dashboard
2022627 - Machine object not picking up external FIP added to an openstack vm
2022646 - configure-ovs.sh failure - Error: unknown connection 'WARN:'
2022707 - Observe / monitoring dashboard shows forbidden errors on Dev Sandbox
2022801 - Add Sprint 210 translations
2022811 - Fix kubelet log rotation file handle leak
2022812 - [SCALE] ovn-kube service controller executes unnecessary load balancer operations
2022824 - Large number of sessions created by vmware-vsphere-csi-driver-operator during e2e tests
2022880 - Pipeline renders with minor visual artifact with certain task dependencies
2022886 - Incorrect URL in operator description
2023042 - CRI-O filters custom runtime allowed annotation when both custom workload and custom runtime sections specified under the config
2023060 - [e2e][automation] Windows VM with CDROM migration
2023077 - [e2e][automation] Home Overview Virtualization status
2023090 - [e2e][automation] Examples of Import URL for VM templates
2023102 - [e2e][automation] Cloudinit disk of VM from custom template
2023216 - ACL for a deleted egressfirewall still present on node join switch
2023228 - Remove Tech preview badge on Trigger components 1.6 OSP on OCP 4.9
2023238 - [sig-devex][Feature:ImageEcosystem][python][Slow] hot deploy for openshift python image Django example should work with hot deploy
2023342 - SCC admission should take ephemeralContainers into account
2023356 - Devfiles can't be loaded in Safari on macOS (403 - Forbidden)
2023434 - Update Azure Machine Spec API to accept Marketplace Images
2023500 - Latency experienced while waiting for volumes to attach to node
2023522 - can't remove package from index: database is locked
2023560 - "Network Attachment Definitions" has no project field on the top in the list view
2023592 - [e2e][automation] add mac spoof check for nad
2023604 - ACL violation when deleting a provisioning-configuration resource
2023607 - console returns blank page when normal user without any projects visit Installed Operators page
2023638 - Downgrade support level for extended control plane integration to Dev Preview
2023657 - inconsistent behaviours of adding ssh key on rhel node between 4.9 and 4.10
2023675 - Changing CNV Namespace
2023779 - Fix Patch 104847 in 4.9
2023781 - initial hardware devices is not loading in wizard
2023832 - CCO updates lastTransitionTime for non-Status changes
2023839 - Bump recommended FCOS to 34.20211031.3.0
2023865 - Console css overrides prevent dynamic plug-in PatternFly tables from displaying correctly
2023950 - make test-e2e-operator on kubernetes-nmstate results in failure to pull image from "registry:5000" repository
2023985 - [4.10] OVN idle service cannot be accessed after upgrade from 4.8
2024055 - External DNS added extra prefix for the TXT record
2024108 - Occasionally node remains in SchedulingDisabled state even after update has been completed sucessfully
2024190 - e2e-metal UPI is permafailing with inability to find rhcos.json
2024199 - 400 Bad Request error for some queries for the non admin user
2024220 - Cluster monitoring checkbox flickers when installing Operator in all-namespace mode
2024262 - Sample catalog is not displayed when one API call to the backend fails
2024309 - cluster-etcd-operator: defrag controller needs to provide proper observability
2024316 - modal about support displays wrong annotation
2024328 - [oVirt / RHV] PV disks are lost when machine deleted while node is disconnected
2024399 - Extra space is in the translated text of "Add/Remove alternate service" on Create Route page
2024448 - When ssh_authorized_keys is empty in form view it should not appear in yaml view
2024493 - Observe > Alerting > Alerting rules page throws error trying to destructure undefined
2024515 - test-blocker: Ceph-storage-plugin tests failing
2024535 - hotplug disk missing OwnerReference
2024537 - WINDOWS_IMAGE_LINK does not refer to windows cloud image
2024547 - Detail page is breaking for namespace store , backing store and bucket class.
2024551 - KMS resources not getting created for IBM FlashSystem storage
2024586 - Special Resource Operator(SRO) - Empty image in BuildConfig when using RT kernel
2024613 - pod-identity-webhook starts without tls
2024617 - vSphere CSI tests constantly failing with Rollout of the monitoring stack failed and is degraded
2024665 - Bindable services are not shown on topology
2024731 - linuxptp container: unnecessary checking of interfaces
2024750 - i18n some remaining OLM items
2024804 - gcp-pd-csi-driver does not use trusted-ca-bundle when cluster proxy configured
2024826 - [RHOS/IPI] Masters are not joining a clusters when installing on OpenStack
2024841 - test Keycloak with latest tag
2024859 - Not able to deploy an existing image from private image registry using developer console
2024880 - Egress IP breaks when network policies are applied
2024900 - Operator upgrade kube-apiserver
2024932 - console throws "Unauthorized" error after logging out
2024933 - openshift-sync plugin does not sync existing secrets/configMaps on start up
2025093 - Installer does not honour diskformat specified in storage policy and defaults to zeroedthick
2025230 - ClusterAutoscalerUnschedulablePods should not be a warning
2025266 - CreateResource route has exact prop which need to be removed
2025301 - [e2e][automation] VM actions availability in different VM states
2025304 - overwrite storage section of the DV spec instead of the pvc section
2025431 - [RFE]Provide specific windows source link
2025458 - [IPI-AWS] cluster-baremetal-operator pod in a crashloop state after patching from 4.7.21 to 4.7.36
2025464 - [aws] openshift-install gather bootstrap collects logs for bootstrap and only one master node
2025467 - [OVN-K][ETP=local] Host to service backed by ovn pods doesn't work for ExternalTrafficPolicy=local
2025481 - Update VM Snapshots UI
2025488 - [DOCS] Update the doc for nmstate operator installation
2025592 - ODC 4.9 supports invalid devfiles only
2025765 - It should not try to load from storageProfile after unchecking"Apply optimized StorageProfile settings"
2025767 - VMs orphaned during machineset scaleup
2025770 - [e2e] non-priv seems looking for v2v-vmware configMap in ns "kubevirt-hyperconverged" while using customize wizard
2025788 - [IPI on azure]Pre-check on IPI Azure, should check VM Size’s vCPUsAvailable instead of vCPUs for the sku.
2025821 - Make "Network Attachment Definitions" available to regular user
2025823 - The console nav bar ignores plugin separator in existing sections
2025830 - CentOS capitalizaion is wrong
2025837 - Warn users that the RHEL URL expire
2025884 - External CCM deploys openstack-cloud-controller-manager from quay.io/openshift/origin-*
2025903 - [UI] RoleBindings tab doesn't show correct rolebindings
2026104 - [sig-imageregistry][Feature:ImageAppend] Image append should create images by appending them [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
2026178 - OpenShift Alerting Rules Style-Guide Compliance
2026209 - Updation of task is getting failed (tekton hub integration)
2026223 - Internal error occurred: failed calling webhook "ptpconfigvalidationwebhook.openshift.io"
2026321 - [UPI on Azure] Shall we remove allowedValue about VMSize in ARM templates
2026343 - [upgrade from 4.5 to 4.6] .status.connectionState.address of catsrc community-operators is not correct
2026352 - Kube-Scheduler revision-pruner fail during install of new cluster
2026374 - aws-pod-identity-webhook go.mod version out of sync with build environment
2026383 - Error when rendering custom Grafana dashboard through ConfigMap
2026387 - node tuning operator metrics endpoint serving old certificates after certificate rotation
2026396 - Cachito Issues: sriov-network-operator Image build failure
2026488 - openshift-controller-manager - delete event is repeating pathologically
2026489 - ThanosRuleRuleEvaluationLatencyHigh alerts when a big quantity of alerts defined.
2026560 - Cluster-version operator does not remove unrecognized volume mounts
2026699 - fixed a bug with missing metadata
2026813 - add Mellanox CX-6 Lx DeviceID 101f NIC support in SR-IOV Operator
2026898 - Description/details are missing for Local Storage Operator
2027132 - Use the specific icon for Fedora and CentOS template
2027238 - "Node Exporter / USE Method / Cluster" CPU utilization graph shows incorrect legend
2027272 - KubeMemoryOvercommit alert should be human readable
2027281 - [Azure] External-DNS cannot find the private DNS zone in the resource group
2027288 - Devfile samples can't be loaded after fixing it on Safari (redirect caching issue)
2027299 - The status of checkbox component is not revealed correctly in code
2027311 - K8s watch hooks do not work when fetching core resources
2027342 - Alert ClusterVersionOperatorDown is firing on OpenShift Container Platform after ca certificate rotation
2027363 - The azure-file-csi-driver and azure-file-csi-driver-operator don't use the downstream images
2027387 - [IBMCLOUD] Terraform ibmcloud-provider buffers entirely the qcow2 image causing spikes of 5GB of RAM during installation
2027498 - [IBMCloud] SG Name character length limitation
2027501 - [4.10] Bootimage bump tracker
2027524 - Delete Application doesn't delete Channels or Brokers
2027563 - e2e/add-flow-ci.feature fix accessibility violations
2027585 - CVO crashes when changing spec.upstream to a cincinnati graph which includes invalid conditional edges
2027629 - Gather ValidatingWebhookConfiguration and MutatingWebhookConfiguration resource definitions
2027685 - openshift-cluster-csi-drivers pods crashing on PSI
2027745 - default samplesRegistry prevents the creation of imagestreams when registrySources.allowedRegistries is enforced
2027824 - ovnkube-master CrashLoopBackoff: panic: Expected slice or struct but got string
2027917 - No settings in hostfirmwaresettings and schema objects for masters
2027927 - sandbox creation fails due to obsolete option in /etc/containers/storage.conf
2027982 - nncp stucked at ConfigurationProgressing
2028019 - Max pending serving CSRs allowed in cluster machine approver is not right for UPI clusters
2028024 - After deleting a SpecialResource, the node is still tagged although the driver is removed
2028030 - Panic detected in cluster-image-registry-operator pod
2028042 - Desktop viewer for Windows VM shows "no Service for the RDP (Remote Desktop Protocol) can be found"
2028054 - Cloud controller manager operator can't get leader lease when upgrading from 4.8 up to 4.9
2028106 - [RFE] Use dynamic plugin actions for kubevirt plugin
2028141 - Console tests doesn't pass on Node.js 15 and 16
2028160 - Remove i18nKey in network-policy-peer-selectors.tsx
2028162 - Add Sprint 210 translations
2028170 - Remove leading and trailing whitespace
2028174 - Add Sprint 210 part 2 translations
2028187 - Console build doesn't pass on Node.js 16 because node-sass doesn't support it
2028217 - Cluster-version operator does not default Deployment replicas to one
2028240 - Multiple CatalogSources causing higher CPU use than necessary
2028268 - Password parameters are listed in FirmwareSchema in spite that cannot and shouldn't be set in HostFirmwareSettings
2028325 - disableDrain should be set automatically on SNO
2028484 - AWS EBS CSI driver's livenessprobe does not respect operator's loglevel
2028531 - Missing netFilter to the list of parameters when platform is OpenStack
2028610 - Installer doesn't retry on GCP rate limiting
2028685 - LSO repeatedly reports errors while diskmaker-discovery pod is starting
2028695 - destroy cluster does not prune bootstrap instance profile
2028731 - The containerruntimeconfig controller has wrong assumption regarding the number of containerruntimeconfigs
2028802 - CRI-O panic due to invalid memory address or nil pointer dereference
2028816 - VLAN IDs not released on failures
2028881 - Override not working for the PerformanceProfile template
2028885 - Console should show an error context if it logs an error object
2028949 - Masthead dropdown item hover text color is incorrect
2028963 - Whereabouts should reconcile stranded IP addresses
2029034 - enabling ExternalCloudProvider leads to inoperative cluster
2029178 - Create VM with wizard - page is not displayed
2029181 - Missing CR from PGT
2029273 - wizard is not able to use if project field is "All Projects"
2029369 - Cypress tests github rate limit errors
2029371 - patch pipeline--worker nodes unexpectedly reboot during scale out
2029394 - missing empty text for hardware devices at wizard review
2029414 - Alibaba Disk snapshots with XFS filesystem cannot be used
2029416 - Alibaba Disk CSI driver does not use credentials provided by CCO / ccoctl
2029521 - EFS CSI driver cannot delete volumes under load
2029570 - Azure Stack Hub: CSI Driver does not use user-ca-bundle
2029579 - Clicking on an Application which has a Helm Release in it causes an error
2029644 - New resource FirmwareSchema - reset_required exists for Dell machines and doesn't for HPE
2029645 - Sync upstream 1.15.0 downstream
2029671 - VM action "pause" and "clone" should be disabled while VM disk is still being importing
2029742 - [ovn] Stale lr-policy-list and snat rules left for egressip
2029750 - cvo keep restart due to it fail to get feature gate value during the initial start stage
2029785 - CVO panic when an edge is included in both edges and conditionaledges
2029843 - Downstream ztp-site-generate-rhel8 4.10 container image missing content(/home/ztp)
2030003 - HFS CRD: Attempt to set Integer parameter to not-numeric string value - no error
2030029 - [4.10][goroutine]Namespace stuck terminating: Failed to delete all resource types, 1 remaining: unexpected items still remain in namespace
2030228 - Fix StorageSpec resources field to use correct API
2030229 - Mirroring status card reflect wrong data
2030240 - Hide overview page for non-privileged user
2030305 - Export App job do not completes
2030347 - kube-state-metrics exposes metrics about resource annotations
2030364 - Shared resource CSI driver monitoring is not setup correctly
2030488 - Numerous Azure CI jobs are Failing with Partially Rendered machinesets
2030534 - Node selector/tolerations rules are evaluated too early
2030539 - Prometheus is not highly available
2030556 - Don't display Description or Message fields for alerting rules if those annotations are missing
2030568 - Operator installation fails to parse operatorframework.io/initialization-resource annotation
2030574 - console service uses older "service.alpha.openshift.io" for the service serving certificates.
2030677 - BOND CNI: There is no option to configure MTU on a Bond interface
2030692 - NPE in PipelineJobListener.upsertWorkflowJob
2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error
2030847 - PerformanceProfile API version should be v2
2030961 - Customizing the OAuth server URL does not apply to upgraded cluster
2031006 - Application name input field is not autofocused when user selects "Create application"
2031012 - Services of type loadbalancer do not work if the traffic reaches the node from an interface different from br-ex
2031040 - Error screen when open topology sidebar for a Serverless / knative service which couldn't be started
2031049 - [vsphere upi] pod machine-config-operator cannot be started due to panic issue
2031057 - Topology sidebar for Knative services shows a small pod ring with "0 undefined" as tooltip
2031060 - Failing CSR Unit test due to expired test certificate
2031085 - ovs-vswitchd running more threads than expected
2031141 - Some pods not able to reach k8s api svc IP 198.223.0.1
2031228 - CVE-2021-43813 grafana: directory traversal vulnerability
2031502 - [RFE] New common templates crash the ui
2031685 - Duplicated forward upstreams should be removed from the dns operator
2031699 - The displayed ipv6 address of a dns upstream should be case sensitive
2031797 - [RFE] Order and text of Boot source type input are wrong
2031826 - CI tests needed to confirm driver-toolkit image contents
2031831 - OCP Console - Global CSS overrides affecting dynamic plugins
2031839 - Starting from Go 1.17 invalid certificates will render a cluster dysfunctional
2031858 - GCP beta-level Role (was: CCO occasionally down, reporting networksecurity.googleapis.com API as disabled)
2031875 - [RFE]: Provide online documentation for the SRO CRD (via oc explain)
2031926 - [ipv6dualstack] After SVC conversion from single stack only to RequireDualStack, cannot curl NodePort from the node itself
2032006 - openshift-gitops-application-controller-0 failed to schedule with sufficient node allocatable resource
2032111 - arm64 cluster, create project and deploy the example deployment, pod is CrashLoopBackOff due to the image is built on linux+amd64
2032141 - open the alertrule link in new tab, got empty page
2032179 - [PROXY] external dns pod cannot reach to cloud API in the cluster behind a proxy
2032296 - Cannot create machine with ephemeral disk on Azure
2032407 - UI will show the default openshift template wizard for HANA template
2032415 - Templates page - remove "support level" badge and add "support level" column which should not be hard coded
2032421 - [RFE] UI integration with automatic updated images
2032516 - Not able to import git repo with .devfile.yaml
2032521 - openshift-installer intermittent failure on AWS with "Error: Provider produced inconsistent result after apply" when creating the aws_vpc_dhcp_options_association resource
2032547 - hardware devices table have filter when table is empty
2032565 - Deploying compressed files with a MachineConfig resource degrades the MachineConfigPool
2032566 - Cluster-ingress-router does not support Azure Stack
2032573 - Adopting enforces deploy_kernel/ramdisk which does not work with deploy_iso
2032589 - DeploymentConfigs ignore resolve-names annotation
2032732 - Fix styling conflicts due to recent console-wide CSS changes
2032831 - Knative Services and Revisions are not shown when Service has no ownerReference
2032851 - Networking is "not available" in Virtualization Overview
2032926 - Machine API components should use K8s 1.23 dependencies
2032994 - AddressPool IP is not allocated to service external IP wtih aggregationLength 24
2032998 - Can not achieve 250 pods/node with OVNKubernetes in a multiple worker node cluster
2033013 - Project dropdown in user preferences page is broken
2033044 - Unable to change import strategy if devfile is invalid
2033098 - Conjunction in ProgressiveListFooter.tsx is not translatable
2033111 - IBM VPC operator library bump removed global CLI args
2033138 - "No model registered for Templates" shows on customize wizard
2033215 - Flaky CI: crud/other-routes.spec.ts fails sometimes with an cypress ace/a11y AssertionError: 1 accessibility violation was detected
2033239 - [IPI on Alibabacloud] 'openshift-install' gets the wrong region (‘cn-hangzhou’) selected
2033257 - unable to use configmap for helm charts
2033271 - [IPI on Alibabacloud] destroying cluster succeeded, but the resource group deletion wasn’t triggered
2033290 - Product builds for console are failing
2033382 - MAPO is missing machine annotations
2033391 - csi-driver-shared-resource-operator sets unused CVO-manifest annotations
2033403 - Devfile catalog does not show provider information
2033404 - Cloud event schema is missing source type and resource field is using wrong value
2033407 - Secure route data is not pre-filled in edit flow form
2033422 - CNO not allowing LGW conversion from SGW in runtime
2033434 - Offer darwin/arm64 oc in clidownloads
2033489 - CCM operator failing on baremetal platform
2033518 - [aws-efs-csi-driver]Should not accept invalid FSType in sc for AWS EFS driver
2033524 - [IPI on Alibabacloud] interactive installer cannot list existing base domains
2033536 - [IPI on Alibabacloud] bootstrap complains invalid value for alibabaCloud.resourceGroupID when updating "cluster-infrastructure-02-config.yml" status, which leads to bootstrap failed and all master nodes NotReady
2033538 - Gather Cost Management Metrics Custom Resource
2033579 - SRO cannot update the special-resource-lifecycle ConfigMap if the data field is undefined
2033587 - Flaky CI test project-dashboard.scenario.ts: Resource Quotas Card was not found on project detail page
2033634 - list-style-type: disc is applied to the modal dropdowns
2033720 - Update samples in 4.10
2033728 - Bump OVS to 2.16.0-33
2033729 - remove runtime request timeout restriction for azure
2033745 - Cluster-version operator makes upstream update service / Cincinnati requests more frequently than intended
2033749 - Azure Stack Terraform fails without Local Provider
2033750 - Local volume should pull multi-arch image for kube-rbac-proxy
2033751 - Bump kubernetes to 1.23
2033752 - make verify fails due to missing yaml-patch
2033784 - set kube-apiserver degraded=true if webhook matches a virtual resource
2034004 - [e2e][automation] add tests for VM snapshot improvements
2034068 - [e2e][automation] Enhance tests for 4.10 downstream
2034087 - [OVN] EgressIP was assigned to the node which is not egress node anymore
2034097 - [OVN] After edit EgressIP object, the status is not correct
2034102 - [OVN] Recreate the deleted EgressIP object got InvalidEgressIP warning
2034129 - blank page returned when clicking 'Get started' button
2034144 - [OVN AWS] ovn-kube egress IP monitoring cannot detect the failure on ovn-k8s-mp0
2034153 - CNO does not verify MTU migration for OpenShiftSDN
2034155 - [OVN-K] [Multiple External Gateways] Per pod SNAT is disabled
2034170 - Use function.knative.dev for Knative Functions related labels
2034190 - unable to add new VirtIO disks to VMs
2034192 - Prometheus fails to insert reporting metrics when the sample limit is met
2034243 - regular user cant load template list
2034245 - installing a cluster on aws, gcp always fails with "Error: Incompatible provider version"
2034248 - GPU/Host device modal is too small
2034257 - regular user `Create VM` missing permissions alert
2034285 - [sig-api-machinery] API data in etcd should be stored at the correct location and version for all resources [Serial] [Suite:openshift/conformance/serial]
2034287 - do not block upgrades if we can't create storageclass in 4.10 in vsphere
2034300 - Du validator policy is NonCompliant after DU configuration completed
2034319 - Negation constraint is not validating packages
2034322 - CNO doesn't pick up settings required when ExternalControlPlane topology
2034350 - The CNO should implement the Whereabouts IP reconciliation cron job
2034362 - update description of disk interface
2034398 - The Whereabouts IPPools CRD should include the podref field
2034409 - Default CatalogSources should be pointing to 4.10 index images
2034410 - Metallb BGP, BFD: prometheus is not scraping the frr metrics
2034413 - cloud-network-config-controller fails to init with secret "cloud-credentials" not found in manual credential mode
2034460 - Summary: cloud-network-config-controller does not account for different environment
2034474 - Template's boot source is "Unknown source" before and after set enableCommonBootImageImport to true
2034477 - [OVN] Multiple EgressIP objects configured, EgressIPs weren't working properly
2034493 - Change cluster version operator log level
2034513 - [OVN] After update one EgressIP in EgressIP object, one internal IP lost from lr-policy-list
2034527 - IPI deployment fails 'timeout reached while inspecting the node' when provisioning network ipv6
2034528 - [IBM VPC] volumeBindingMode should be WaitForFirstConsumer
2034534 - Update ose-machine-api-provider-openstack images to be consistent with ART
2034537 - Update team
2034559 - KubeAPIErrorBudgetBurn firing outside recommended latency thresholds
2034563 - [Azure] create machine with wrong ephemeralStorageLocation value success
2034577 - Current OVN gateway mode should be reflected on node annotation as well
2034621 - context menu not popping up for application group
2034622 - Allow volume expansion by default in vsphere CSI storageclass 4.10
2034624 - Warn about unsupported CSI driver in vsphere operator
2034647 - missing volumes list in snapshot modal
2034648 - Rebase openshift-controller-manager to 1.23
2034650 - Rebase openshift/builder to 1.23
2034705 - vSphere: storage e2e tests logging configuration data
2034743 - EgressIP: assigning the same egress IP to a second EgressIP object after a ovnkube-master restart does not fail.
2034766 - Special Resource Operator(SRO) - no cert-manager pod created in dual stack environment
2034785 - ptpconfig with summary_interval cannot be applied
2034823 - RHEL9 should be starred in template list
2034838 - An external router can inject routes if no service is added
2034839 - Jenkins sync plugin does not synchronize ConfigMap having label role=jenkins-agent
2034879 - Lifecycle hook's name and owner shouldn't be allowed to be empty
2034881 - Cloud providers components should use K8s 1.23 dependencies
2034884 - ART cannot build the image because it tries to download controller-gen
2034889 - `oc adm prune deployments` does not work
2034898 - Regression in recently added Events feature
2034957 - update openshift-apiserver to kube 1.23.1
2035015 - ClusterLogForwarding CR remains stuck remediating forever
2035093 - openshift-cloud-network-config-controller never runs on Hypershift cluster
2035141 - [RFE] Show GPU/Host devices in template's details tab
2035146 - "kubevirt-plugin~PVC cannot be empty" shows on add-disk modal while adding existing PVC
2035167 - [cloud-network-config-controller] unable to deleted cloudprivateipconfig when deleting
2035199 - IPv6 support in mtu-migration-dispatcher.yaml
2035239 - e2e-metal-ipi-virtualmedia tests are permanently failing
2035250 - Peering with ebgp peer over multi-hops doesn't work
2035264 - [RFE] Provide a proper message for nonpriv user who not able to add PCI devices
2035315 - invalid test cases for AWS passthrough mode
2035318 - Upgrade management workflow needs to allow custom upgrade graph path for disconnected env
2035321 - Add Sprint 211 translations
2035326 - [ExternalCloudProvider] installation with additional network on workers fails
2035328 - Ccoctl does not ignore credentials request manifest marked for deletion
2035333 - Kuryr orphans ports on 504 errors from Neutron
2035348 - Fix two grammar issues in kubevirt-plugin.json strings
2035393 - oc set data --dry-run=server makes persistent changes to configmaps and secrets
2035409 - OLM E2E test depends on operator package that's no longer published
2035439 - SDN Automatic assignment EgressIP on GCP returned node IP adress not egressIP address
2035453 - [IPI on Alibabacloud] 2 worker machines stuck in Failed phase due to connection to 'ecs-cn-hangzhou.aliyuncs.com' timeout, although the specified region is 'us-east-1'
2035454 - [IPI on Alibabacloud] the OSS bucket created during installation for image registry is not deleted after destroying the cluster
2035467 - UI: Queried metrics can't be ordered on Oberve->Metrics page
2035494 - [SDN Migration]ovnkube-node pods CrashLoopBackOff after sdn migrated to ovn for RHEL workers
2035515 - [IBMCLOUD] allowVolumeExpansion should be true in storage class
2035602 - [e2e][automation] add tests for Virtualization Overview page cards
2035703 - Roles -> RoleBindings tab doesn't show RoleBindings correctly
2035704 - RoleBindings list page filter doesn't apply
2035705 - Azure 'Destroy cluster' get stuck when the cluster resource group is already not existing.
2035757 - [IPI on Alibabacloud] one master node turned NotReady which leads to installation failed
2035772 - AccessMode and VolumeMode is not reserved for customize wizard
2035847 - Two dashes in the Cronjob / Job pod name
2035859 - the output of opm render doesn't contain olm.constraint which is defined in dependencies.yaml
2035882 - [BIOS setting values] Create events for all invalid settings in spec
2035903 - One redundant capi-operator credential requests in “oc adm extract --credentials-requests”
2035910 - [UI] Manual approval options are missing after ODF 4.10 installation starts when Manual Update approval is chosen
2035927 - Cannot enable HighNodeUtilization scheduler profile
2035933 - volume mode and access mode are empty in customize wizard review tab
2035969 - "ip a " shows "Error: Peer netns reference is invalid" after create test pods
2035986 - Some pods under kube-scheduler/kube-controller-manager are using the deprecated annotation
2036006 - [BIOS setting values] Attempt to set Integer parameter results in preparation error
2036029 - New added cloud-network-config operator doesn’t supported aws sts format credential
2036096 - [azure-file-csi-driver] there are no e2e tests for NFS backend
2036113 - cluster scaling new nodes ovs-configuration fails on all new nodes
2036567 - [csi-driver-nfs] Upstream merge: Bump k8s libraries to 1.23
2036569 - [cloud-provider-openstack] Upstream merge: Bump k8s libraries to 1.23
2036577 - OCP 4.10 nightly builds from 4.10.0-0.nightly-s390x-2021-12-18-034912 to 4.10.0-0.nightly-s390x-2022-01-11-233015 fail to upgrade from OCP 4.9.11 and 4.9.12 for network type OVNKubernetes for zVM hypervisor environments
2036622 - sdn-controller crashes when restarted while a previous egress IP assignment exists
2036717 - Valid AlertmanagerConfig custom resource with valid a mute time interval definition is rejected
2036826 - `oc adm prune deployments` can prune the RC/RS
2036827 - The ccoctl still accepts CredentialsRequests without ServiceAccounts on GCP platform
2036861 - kube-apiserver is degraded while enable multitenant
2036937 - Command line tools page shows wrong download ODO link
2036940 - oc registry login fails if the file is empty or stdout
2036951 - [cluster-csi-snapshot-controller-operator] proxy settings is being injected in container
2036989 - Route URL copy to clipboard button wraps to a separate line by itself
2036990 - ZTP "DU Done inform policy" never becomes compliant on multi-node clusters
2036993 - Machine API components should use Go lang version 1.17
2037036 - The tuned profile goes into degraded status and ksm.service is displayed in the log.
2037061 - aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cluster-api
2037073 - Alertmanager container fails to start because of startup probe never being successful
2037075 - Builds do not support CSI volumes
2037167 - Some log level in ibm-vpc-block-csi-controller are hard code
2037168 - IBM-specific Deployment manifest for package-server-manager should be excluded on non-IBM cluster-profiles
2037182 - PingSource badge color is not matched with knativeEventing color
2037203 - "Running VMs" card is too small in Virtualization Overview
2037209 - [IPI on Alibabacloud] worker nodes are put in the default resource group unexpectedly
2037237 - Add "This is a CD-ROM boot source" to customize wizard
2037241 - default TTL for noobaa cache buckets should be 0
2037246 - Cannot customize auto-update boot source
2037276 - [IBMCLOUD] vpc-node-label-updater may fail to label nodes appropriately
2037288 - Remove stale image reference
2037331 - Ensure the ccoctl behaviors are similar between aws and gcp on the existing resources
2037483 - Rbacs for Pods within the CBO should be more restrictive
2037484 - Bump dependencies to k8s 1.23
2037554 - Mismatched wave number error message should include the wave numbers that are in conflict
2037622 - [4.10-Alibaba CSI driver][Restore size for volumesnapshot/volumesnapshotcontent is showing as 0 in Snapshot feature for Alibaba platform]
2037635 - impossible to configure custom certs for default console route in ingress config
2037637 - configure custom certificate for default console route doesn't take effect for OCP >= 4.8
2037638 - Builds do not support CSI volumes as volume sources
2037664 - text formatting issue in Installed Operators list table
2037680 - [IPI on Alibabacloud] sometimes operator 'cloud-controller-manager' tells empty VERSION, due to conflicts on listening tcp :8080
2037689 - [IPI on Alibabacloud] sometimes operator 'cloud-controller-manager' tells empty VERSION, due to conflicts on listening tcp :8080
2037801 - Serverless installation is failing on CI jobs for e2e tests
2037813 - Metal Day 1 Networking - networkConfig Field Only Accepts String Format
2037856 - use lease for leader election
2037891 - 403 Forbidden error shows for all the graphs in each grafana dashboard after upgrade from 4.9 to 4.10
2037903 - Alibaba Cloud: delete-ram-user requires the credentials-requests
2037904 - upgrade operator deployment failed due to memory limit too low for manager container
2038021 - [4.10-Alibaba CSI driver][Default volumesnapshot class is not added/present after successful cluster installation]
2038034 - non-privileged user cannot see auto-update boot source
2038053 - Bump dependencies to k8s 1.23
2038088 - Remove ipa-downloader references
2038160 - The `default` project missed the annotation : openshift.io/node-selector: ""
2038166 - Starting from Go 1.17 invalid certificates will render a cluster non-functional
2038196 - must-gather is missing collecting some metal3 resources
2038240 - Error when configuring a file using permissions bigger than decimal 511 (octal 0777)
2038253 - Validator Policies are long lived
2038272 - Failures to build a PreprovisioningImage are not reported
2038384 - Azure Default Instance Types are Incorrect
2038389 - Failing test: [sig-arch] events should not repeat pathologically
2038412 - Import page calls the git file list unnecessarily twice from GitHub/GitLab/Bitbucket
2038465 - Upgrade chromedriver to 90.x to support Mac M1 chips
2038481 - kube-controller-manager-guard and openshift-kube-scheduler-guard pods being deleted and restarted on a cordoned node when drained
2038596 - Auto egressIP for OVN cluster on GCP: After egressIP object is deleted, egressIP still takes effect
2038663 - update kubevirt-plugin OWNERS
2038691 - [AUTH-8] Panic on user login when the user belongs to a group in the IdP side and the group already exists via "oc adm groups new"
2038705 - Update ptp reviewers
2038761 - Open Observe->Targets page, wait for a while, page become blank
2038768 - All the filters on the Observe->Targets page can't work
2038772 - Some monitors failed to display on Observe->Targets page
2038793 - [SDN EgressIP] After reboot egress node, the egressip was lost from egress node
2038827 - should add user containers in /etc/subuid and /etc/subgid to support run pods in user namespaces
2038832 - New templates for centos stream8 are missing registry suggestions in create vm wizard
2038840 - [SDN EgressIP]cloud-network-config-controller pod was CrashLoopBackOff after some operation
2038864 - E2E tests fail because multi-hop-net was not created
2038879 - All Builds are getting listed in DeploymentConfig under workloads on OpenShift Console
2038934 - CSI driver operators should use the trusted CA bundle when cluster proxy is configured
2038968 - Move feature gates from a carry patch to openshift/api
2039056 - Layout issue with breadcrumbs on API explorer page
2039057 - Kind column is not wide enough in API explorer page
2039064 - Bulk Import e2e test flaking at a high rate
2039065 - Diagnose and fix Bulk Import e2e test that was previously disabled
2039085 - Cloud credential operator configuration failing to apply in hypershift/ROKS clusters
2039099 - [OVN EgressIP GCP] After reboot egress node, egressip that was previously assigned got lost
2039109 - [FJ OCP4.10 Bug]: startironic.sh failed to pull the image of image-customization container when behind a proxy
2039119 - CVO hotloops on Service openshift-monitoring/cluster-monitoring-operator
2039170 - [upgrade]Error shown on registry operator "missing the cloud-provider-config configmap" after upgrade
2039227 - Improve image customization server parameter passing during installation
2039241 - Improve image customization server parameter passing during installation
2039244 - Helm Release revision history page crashes the UI
2039294 - SDN controller metrics cannot be consumed correctly by prometheus
2039311 - oc Does Not Describe Build CSI Volumes
2039315 - Helm release list page should only fetch secrets for deployed charts
2039321 - SDN controller metrics are not being consumed by prometheus
2039330 - Create NMState button doesn't work in OperatorHub web console
2039339 - cluster-ingress-operator should report Unupgradeable if user has modified the aws resources annotations
2039345 - CNO does not verify the minimum MTU value for IPv6/dual-stack clusters.
2039359 - `oc adm prune deployments` can't prune the RS where the associated Deployment no longer exists
2039382 - gather_metallb_logs does not have execution permission
2039406 - logout from rest session after vsphere operator sync is finished
2039408 - Add GCP region northamerica-northeast2 to allowed regions
2039414 - Cannot see the weights increased for NodeAffinity, InterPodAffinity, TaintandToleration
2039425 - No need to set KlusterletAddonConfig CR applicationManager->enabled: true in RAN ztp deployment
2039491 - oc - git:// protocol used in unit tests
2039516 - Bump OVN to ovn21.12-21.12.0-25
2039529 - Project Dashboard Resource Quotas Card empty state test flaking at a high rate
2039534 - Diagnose and fix Project Dashboard Resource Quotas Card test that was previously disabled
2039541 - Resolv-prepender script duplicating entries
2039586 - [e2e] update centos8 to centos stream8
2039618 - VM created from SAP HANA template leads to 404 page if leave one network parameter empty
2039619 - [AWS] In tree provisioner storageclass aws disk type should contain 'gp3' and csi provisioner storageclass default aws disk type should be 'gp3'
2039670 - Create PDBs for control plane components
2039678 - Page goes blank when create image pull secret
2039689 - [IPI on Alibabacloud] Pay-by-specification NAT is no longer supported
2039743 - React missing key warning when open operator hub detail page (and maybe others as well)
2039756 - React missing key warning when open KnativeServing details
2039770 - Observe dashboard doesn't react on time-range changes after browser reload when perspective is changed in another tab
2039776 - Observe dashboard shows nothing if the URL links to an non existing dashboard
2039781 - [GSS] OBC is not visible by admin of a Project on Console
2039798 - Contextual binding with Operator backed service creates visual connector instead of Service binding connector
2039868 - Insights Advisor widget is not in the disabled state when the Insights Operator is disabled
2039880 - Log level too low for control plane metrics
2039919 - Add E2E test for router compression feature
2039981 - ZTP for standard clusters installs stalld on master nodes
2040132 - Flag --port has been deprecated, This flag has no effect now and will be removed in v1.24. You can use --secure-port instead
2040136 - external-dns-operator pod keeps restarting and reports error: timed out waiting for cache to be synced
2040143 - [IPI on Alibabacloud] suggest to remove region "cn-nanjing" or provide better error message
2040150 - Update ConfigMap keys for IBM HPCS
2040160 - [IPI on Alibabacloud] installation fails when region does not support pay-by-bandwidth
2040285 - Bump build-machinery-go for console-operator to pickup change in yaml-patch repository
2040357 - bump OVN to ovn-2021-21.12.0-11.el8fdp
2040376 - "unknown instance type" error for supported m6i.xlarge instance
2040394 - Controller: enqueue the failed configmap till services update
2040467 - Cannot build ztp-site-generator container image
2040504 - Change AWS EBS GP3 IOPS in MachineSet doesn't take affect in OpenShift 4
2040521 - RouterCertsDegraded certificate could not validate route hostname v4-0-config-system-custom-router-certs.apps
2040535 - Auto-update boot source is not available in customize wizard
2040540 - ovs hardware offload: ovsargs format error when adding vf netdev name
2040603 - rhel worker scaleup playbook failed because missing some dependency of podman
2040616 - rolebindings page doesn't load for normal users
2040620 - [MAPO] Error pulling MAPO image on installation
2040653 - Topology sidebar warns that another component is updated while rendering
2040655 - User settings update fails when selecting application in topology sidebar
2040661 - Different react warnings about updating state on unmounted components when leaving topology
2040670 - Permafailing CI job: periodic-ci-openshift-release-master-nightly-4.10-e2e-gcp-libvirt-cert-rotation
2040671 - [Feature:IPv6DualStack] most tests are failing in dualstack ipi
2040694 - Three upstream HTTPClientConfig struct fields missing in the operator
2040705 - Du policy for standard cluster runs the PTP daemon on masters and workers
2040710 - cluster-baremetal-operator cannot update BMC subscription CR
2040741 - Add CI test(s) to ensure that metal3 components are deployed in vSphere, OpenStack and None platforms
2040782 - Import YAML page blocks input with more then one generateName attribute
2040783 - The Import from YAML summary page doesn't show the resource name if created via generateName attribute
2040791 - Default PGT policies must be 'inform' to integrate with the Lifecycle Operator
2040793 - Fix snapshot e2e failures
2040880 - do not block upgrades if we can't connect to vcenter
2041087 - MetalLB: MetalLB CR is not upgraded automatically from 4.9 to 4.10
2041093 - autounattend.xml missing
2041204 - link to templates in virtualization-cluster-overview inventory card is to all templates
2041319 - [IPI on Alibabacloud] installation in region "cn-shanghai" failed, due to "Resource alicloud_vswitch CreateVSwitch Failed...InvalidCidrBlock.Overlapped"
2041326 - Should bump cluster-kube-descheduler-operator to kubernetes version V1.23
2041329 - aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cloud-network-config-controller
2041361 - [IPI on Alibabacloud] Disable session persistence and removebBandwidth peak of listener
2041441 - Provision volume with size 3000Gi even if sizeRange: '[10-2000]GiB' in storageclass on IBM cloud
2041466 - Kubedescheduler version is missing from the operator logs
2041475 - React components should have a (mostly) unique name in react dev tools to simplify code analyses
2041483 - MetallB: quay.io/openshift/origin-kube-rbac-proxy:4.10 deploy Metallb CR is missing (controller and speaker pods)
2041492 - Spacing between resources in inventory card is too small
2041509 - GCP Cloud provider components should use K8s 1.23 dependencies
2041510 - cluster-baremetal-operator doesn't run baremetal-operator's subscription webhook
2041541 - audit: ManagedFields are dropped using API not annotation
2041546 - ovnkube: set election timer at RAFT cluster creation time
2041554 - use lease for leader election
2041581 - KubeDescheduler operator log shows "Use of insecure cipher detected"
2041583 - etcd and api server cpu mask interferes with a guaranteed workload
2041598 - Including CA bundle in Azure Stack cloud config causes MCO failure
2041605 - Dynamic Plugins: discrepancy in proxy alias documentation/implementation
2041620 - bundle CSV alm-examples does not parse
2041641 - Fix inotify leak and kubelet retaining memory
2041671 - Delete templates leads to 404 page
2041694 - [IPI on Alibabacloud] installation fails when region does not support the cloud_essd disk category
2041734 - ovs hwol: VFs are unbind when switchdev mode is enabled
2041750 - [IPI on Alibabacloud] trying "create install-config" with region "cn-wulanchabu (China (Ulanqab))" (or "ap-southeast-6 (Philippines (Manila))", "cn-guangzhou (China (Guangzhou))") failed due to invalid endpoint
2041763 - The Observe > Alerting pages no longer have their default sort order applied
2041830 - CI: ovn-kubernetes-master-e2e-aws-ovn-windows is broken
2041854 - Communities / Local prefs are applied to all the services regardless of the pool, and only one community is applied
2041882 - cloud-network-config operator can't work normal on GCP workload identity cluster
2041888 - Intermittent incorrect build to run correlation, leading to run status updates applied to wrong build, builds stuck in non-terminal phases
2041926 - [IPI on Alibabacloud] Installer ignores public zone when it does not exist
2041971 - [vsphere] Reconciliation of mutating webhooks didn't happen
2041989 - CredentialsRequest manifests being installed for ibm-cloud-managed profile
2041999 - [PROXY] external dns pod cannot recognize custom proxy CA
2042001 - unexpectedly found multiple load balancers
2042029 - kubedescheduler fails to install completely
2042036 - [IBMCLOUD] "openshift-install explain installconfig.platform.ibmcloud" contains not yet supported custom vpc parameters
2042049 - Seeing warning related to unrecognized feature gate in kubescheduler & KCM logs
2042059 - update discovery burst to reflect lots of CRDs on openshift clusters
2042069 - Revert toolbox to rhcos-toolbox
2042169 - Can not delete egressnetworkpolicy in Foreground propagation
2042181 - MetalLB: User should not be allowed add same bgp advertisement twice in BGP address pool
2042265 - [IBM]"--scale-down-utilization-threshold" doesn't work on IBMCloud
2042274 - Storage API should be used when creating a PVC
2042315 - Baremetal IPI deployment with IPv6 control plane and disabled provisioning network fails as the nodes do not pass introspection
2042366 - Lifecycle hooks should be independently managed
2042370 - [IPI on Alibabacloud] installer panics when the zone does not have an enhanced NAT gateway
2042382 - [e2e][automation] CI takes more then 2 hours to run
2042395 - Add prerequisites for active health checks test
2042438 - Missing rpms in openstack-installer image
2042466 - Selection does not happen when switching from Topology Graph to List View
2042493 - No way to verify if IPs with leading zeros are still valid in the apiserver
2042567 - insufficient info on CodeReady Containers configuration
2042600 - Alone, the io.kubernetes.cri-o.Devices option poses a security risk
2042619 - Overview page of the console is broken for hypershift clusters
2042655 - [IPI on Alibabacloud] cluster becomes unusable if there is only one kube-apiserver pod running
2042711 - [IBMCloud] Machine Deletion Hook cannot work on IBMCloud
2042715 - [AliCloud] Machine Deletion Hook cannot work on AliCloud
2042770 - [IPI on Alibabacloud] with vpcID & vswitchIDs specified, the installer would still try creating NAT gateway unexpectedly
2042829 - Topology performance: HPA was fetched for each Deployment (Pod Ring)
2042851 - Create template from SAP HANA template flow - VM is created instead of a new template
2042906 - Edit machineset with same machine deletion hook name succeed
2042960 - azure-file CI fails with "gid(0) in storageClass and pod fsgroup(1000) are not equal"
2043003 - [IPI on Alibabacloud] 'destroy cluster' of a failed installation (bug2041694) stuck after 'stage=Nat gateways'
2043042 - [Serial] [sig-auth][Feature:OAuthServer] [RequestHeaders] [IdP] test RequestHeaders IdP [Suite:openshift/conformance/serial]
2043043 - Cluster Autoscaler should use K8s 1.23 dependencies
2043064 - Topology performance: Unnecessary rerenderings in topology nodes (unchanged mobx props)
2043078 - Favorite system projects not visible in the project selector after toggling "Show default projects".
2043117 - Recommended operators links are erroneously treated as external
2043130 - Update CSI sidecars to the latest release for 4.10
2043234 - Missing validation when creating several BGPPeers with the same peerAddress
2043240 - Sync openshift/descheduler with sigs.k8s.io/descheduler
2043254 - crio does not bind the security profiles directory
2043296 - Ignition fails when reusing existing statically-keyed LUKS volume
2043297 - [4.10] Bootimage bump tracker
2043316 - RHCOS VM fails to boot on Nutanix AOS
2043446 - Rebase aws-efs-utils to the latest upstream version.
2043556 - Add proper ci-operator configuration to ironic and ironic-agent images
2043577 - DPU network operator
2043651 - Fix bug with exp. backoff working correcly when setting nextCheck in vsphere operator
2043675 - Too many machines deleted by cluster autoscaler when scaling down
2043683 - Revert bug 2039344 Ignoring IPv6 addresses against etcd cert validation
2043709 - Logging flags no longer being bound to command line
2043721 - Installer bootstrap hosts using outdated kubelet containing bugs
2043731 - [IBMCloud] terraform outputs missing for ibmcloud bootstrap and worker ips for must-gather
2043759 - Bump cluster-ingress-operator to k8s.io/api 1.23
2043780 - Bump router to k8s.io/api 1.23
2043787 - Bump cluster-dns-operator to k8s.io/api 1.23
2043801 - Bump CoreDNS to k8s.io/api 1.23
2043802 - EgressIP stopped working after single egressIP for a netnamespace is switched to the other node of HA pair after the first egress node is shutdown
2043961 - [OVN-K] If pod creation fails, retry doesn't work as expected.
2044201 - Templates golden image parameters names should be supported
2044244 - Builds are failing after upgrading the cluster with builder image [jboss-webserver-5/jws56-openjdk8-openshift-rhel8]
2044248 - [IBMCloud][vpc.block.csi.ibm.io]Cluster common user use the storageclass without parameter “csi.storage.k8s.io/fstype” create pvc,pod successfully but write data to the pod's volume failed of "Permission denied"
2044303 - [ovn][cloud-network-config-controller] cloudprivateipconfigs ips were left after deleting egressip objects
2044347 - Bump to kubernetes 1.23.3
2044481 - collect sharedresource cluster scoped instances with must-gather
2044496 - Unable to create hardware events subscription - failed to add finalizers
2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
2044680 - Additional libovsdb performance and resource consumption fixes
2044704 - Observe > Alerting pages should not show runbook links in 4.10
2044717 - [e2e] improve tests for upstream test environment
2044724 - Remove namespace column on VM list page when a project is selected
2044745 - Upgrading cluster from 4.9 to 4.10 on Azure (ARO) causes the cloud-network-config-controller pod to CrashLoopBackOff
2044808 - machine-config-daemon-pull.service: use `cp` instead of `cat` when extracting MCD in OKD
2045024 - CustomNoUpgrade alerts should be ignored
2045112 - vsphere-problem-detector has missing rbac rules for leases
2045199 - SnapShot with Disk Hot-plug hangs
2045561 - Cluster Autoscaler should use the same default Group value as Cluster API
2045591 - Reconciliation of aws pod identity mutating webhook did not happen
2045849 - Add Sprint 212 translations
2045866 - MCO Operator pod spam "Error creating event" warning messages in 4.10
2045878 - Sync upstream 1.16.0 downstream; includes hybrid helm plugin
2045916 - [IBMCloud] Default machine profile in installer is unreliable
2045927 - [FJ OCP4.10 Bug]: Podman failed to pull the IPA image due to the loss of proxy environment
2046025 - [IPI on Alibabacloud] pre-configured alicloud DNS private zone is deleted after destroying cluster, please clarify
2046137 - oc output for unknown commands is not human readable
2046296 - When creating multiple consecutive egressIPs on GCP not all of them get assigned to the instance
2046297 - Bump DB reconnect timeout
2046517 - In Notification drawer, the "Recommendations" header shows when there isn't any recommendations
2046597 - Observe > Targets page may show the wrong service monitor is multiple monitors have the same namespace & label selectors
2046626 - Allow setting custom metrics for Ansible-based Operators
2046683 - [AliCloud]"--scale-down-utilization-threshold" doesn't work on AliCloud
2047025 - Installation fails because of Alibaba CSI driver operator is degraded
2047190 - Bump Alibaba CSI driver for 4.10
2047238 - When using communities and localpreferences together, only localpreference gets applied
2047255 - alibaba: resourceGroupID not found
2047258 - [aws-usgov] fatal error occurred if AMI is not provided for AWS GovCloud regions
2047317 - Update HELM OWNERS files under Dev Console
2047455 - [IBM Cloud] Update custom image os type
2047496 - Add image digest feature
2047779 - do not degrade cluster if storagepolicy creation fails
2047927 - 'oc get project' caused 'Observed a panic: cannot deep copy core.NamespacePhase' when AllRequestBodies is used
2047929 - use lease for leader election
2047975 - [sig-network][Feature:Router] The HAProxy router should override the route host for overridden domains with a custom value [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
2048046 - New route annotation to show another URL or hide topology URL decorator doesn't work for Knative Services
2048048 - Application tab in User Preferences dropdown menus are too wide.
2048050 - Topology list view items are not highlighted on keyboard navigation
2048117 - [IBM]Shouldn't change status.storage.bucket and status.storage.resourceKeyCRN when update sepc.stroage,ibmcos with invalid value
2048413 - Bond CNI: Failed to attach Bond NAD to pod
2048443 - Image registry operator panics when finalizes config deletion
2048478 - [alicloud] CCM deploys alibaba-cloud-controller-manager from quay.io/openshift/origin-*
2048484 - SNO: cluster-policy-controller failed to start due to missing serving-cert/tls.crt
2048598 - Web terminal view is broken
2048836 - ovs-configure mis-detecting the ipv6 status on IPv4 only cluster causing Deployment failure
2048891 - Topology page is crashed
2049003 - 4.10: [IBMCloud] ibm-vpc-block-csi-node does not specify an update strategy, only resource requests, or priority class
2049043 - Cannot create VM from template
2049156 - 'oc get project' caused 'Observed a panic: cannot deep copy core.NamespacePhase' when AllRequestBodies is used
2049886 - Placeholder bug for OCP 4.10.0 metadata release
2049890 - Warning annotation for pods with cpu requests or limits on single-node OpenShift cluster without workload partitioning
2050189 - [aws-efs-csi-driver] Merge upstream changes since v1.3.2
2050190 - [aws-ebs-csi-driver] Merge upstream changes since v1.2.0
2050227 - Installation on PSI fails with: 'openstack platform does not have the required standard-attr-tag network extension'
2050247 - Failing test in periodics: [sig-network] Services should respect internalTrafficPolicy=Local Pod and Node, to Pod (hostNetwork: true) [Feature:ServiceInternalTrafficPolicy] [Skipped:Network/OVNKubernetes] [Suite:openshift/conformance/parallel] [Suite:k8s]
2050250 - Install fails to bootstrap, complaining about DefragControllerDegraded and sad members
2050310 - ContainerCreateError when trying to launch large (>500) numbers of pods across nodes
2050370 - alert data for burn budget needs to be updated to prevent regression
2050393 - ZTP missing support for local image registry and custom machine config
2050557 - Can not push images to image-registry when enabling KMS encryption in AlibabaCloud
2050737 - Remove metrics and events for master port offsets
2050801 - Vsphere upi tries to access vsphere during manifests generation phase
2050883 - Logger object in LSO does not log source location accurately
2051692 - co/image-registry is degrade because ImagePrunerDegraded: Job has reached the specified backoff limit
2052062 - Whereabouts should implement client-go 1.22+
2052125 - [4.10] Crio appears to be coredumping in some scenarios
2052210 - [aws-c2s] kube-apiserver crashloops due to missing cloud config
2052339 - Failing webhooks will block an upgrade to 4.10 mid-way through the upgrade.
2052458 - [IBM Cloud] ibm-vpc-block-csi-controller does not specify an update strategy, priority class, or only resource requests
2052598 - kube-scheduler should use configmap lease
2052599 - kube-controller-manger should use configmap lease
2052600 - Failed to scaleup RHEL machine against OVN cluster due to jq tool is required by configure-ovs.sh
2052609 - [vSphere CSI driver Operator] RWX volumes counts metrics `vsphere_rwx_volumes_total` not valid
2052611 - MetalLB: BGPPeer object does not have ability to set ebgpMultiHop
2052612 - MetalLB: Webhook Validation: Two BGPPeers instances can have different router ID set.
2052644 - Infinite OAuth redirect loop post-upgrade to 4.10.0-rc.1
2052666 - [4.10.z] change gitmodules to rhcos-4.10 branch
2052756 - [4.10] PVs are not being cleaned up after PVC deletion
2053175 - oc adm catalog mirror throws 'missing signature key' error when using file://local/index
2053218 - ImagePull fails with error "unable to pull manifest from example.com/busy.box:v5 invalid reference format"
2053252 - Sidepanel for Connectors/workloads in topology shows invalid tabs
2053268 - inability to detect static lifecycle failure
2053314 - requestheader IDP test doesn't wait for cleanup, causing high failure rates
2053323 - OpenShift-Ansible BYOH Unit Tests are Broken
2053339 - Remove dev preview badge from IBM FlashSystem deployment windows
2053751 - ztp-site-generate container is missing convenience entrypoint
2053945 - [4.10] Failed to apply sriov policy on intel nics
2054109 - Missing "app" label
2054154 - RoleBinding in project without subject is causing "Project access" page to fail
2054244 - Latest pipeline run should be listed on the top of the pipeline run list
2054288 - console-master-e2e-gcp-console is broken
2054562 - DPU network operator 4.10 branch need to sync with master
2054897 - Unable to deploy hw-event-proxy operator
2055193 - e2e-metal-ipi-serial-ovn-ipv6 is failing frequently
2055358 - Summary Interval Hardcoded in PTP Operator if Set in the Global Body Instead of Command Line
2055371 - Remove Check which enforces summary_interval must match logSyncInterval
2055689 - [ibm]Operator storage PROGRESSING and DEGRADED is true during fresh install for ocp4.11
2055894 - CCO mint mode will not work for Azure after sunsetting of Active Directory Graph API
2056441 - AWS EFS CSI driver should use the trusted CA bundle when cluster proxy is configured
2056479 - ovirt-csi-driver-node pods are crashing intermittently
2056572 - reconcilePrecaching error: cannot list resource "clusterserviceversions" in API group "operators.coreos.com" at the cluster scope"
2056629 - [4.10] EFS CSI driver can't unmount volumes with "wait: no child processes"
2056878 - (dummy bug) ovn-kubernetes ExternalTrafficPolicy still SNATs
2056928 - Ingresscontroller LB scope change behaviour differs for different values of aws-load-balancer-internal annotation
2056948 - post 1.23 rebase: regression in service-load balancer reliability
2057438 - Service Level Agreement (SLA) always show 'Unknown'
2057721 - Fix Proxy support in RHACM 2.4.2
2057724 - Image creation fails when NMstateConfig CR is empty
2058641 - [4.10] Pod density test causing problems when using kube-burner
2059761 - 4.9.23-s390x-machine-os-content manifest invalid when mirroring content for disconnected install
2060610 - Broken access to public images: Unable to connect to the server: no basic auth credentials
2060956 - service domain can't be resolved when networkpolicy is used in OCP 4.10-rc
5. References:
https://access.redhat.com/security/cve/CVE-2014-3577
https://access.redhat.com/security/cve/CVE-2016-10228
https://access.redhat.com/security/cve/CVE-2017-14502
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2018-1000858
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-9169
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20807
https://access.redhat.com/security/cve/CVE-2019-25013
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-8927
https://access.redhat.com/security/cve/CVE-2020-9802
https://access.redhat.com/security/cve/CVE-2020-9803
https://access.redhat.com/security/cve/CVE-2020-9805
https://access.redhat.com/security/cve/CVE-2020-9806
https://access.redhat.com/security/cve/CVE-2020-9807
https://access.redhat.com/security/cve/CVE-2020-9843
https://access.redhat.com/security/cve/CVE-2020-9850
https://access.redhat.com/security/cve/CVE-2020-9862
https://access.redhat.com/security/cve/CVE-2020-9893
https://access.redhat.com/security/cve/CVE-2020-9894
https://access.redhat.com/security/cve/CVE-2020-9895
https://access.redhat.com/security/cve/CVE-2020-9915
https://access.redhat.com/security/cve/CVE-2020-9925
https://access.redhat.com/security/cve/CVE-2020-9952
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/cve/CVE-2020-13434
https://access.redhat.com/security/cve/CVE-2020-14391
https://access.redhat.com/security/cve/CVE-2020-15358
https://access.redhat.com/security/cve/CVE-2020-15503
https://access.redhat.com/security/cve/CVE-2020-25660
https://access.redhat.com/security/cve/CVE-2020-25677
https://access.redhat.com/security/cve/CVE-2020-27618
https://access.redhat.com/security/cve/CVE-2020-27781
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3326
https://access.redhat.com/security/cve/CVE-2021-3449
https://access.redhat.com/security/cve/CVE-2021-3450
https://access.redhat.com/security/cve/CVE-2021-3516
https://access.redhat.com/security/cve/CVE-2021-3517
https://access.redhat.com/security/cve/CVE-2021-3518
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3537
https://access.redhat.com/security/cve/CVE-2021-3541
https://access.redhat.com/security/cve/CVE-2021-3733
https://access.redhat.com/security/cve/CVE-2021-3749
https://access.redhat.com/security/cve/CVE-2021-20305
https://access.redhat.com/security/cve/CVE-2021-21684
https://access.redhat.com/security/cve/CVE-2021-22946
https://access.redhat.com/security/cve/CVE-2021-22947
https://access.redhat.com/security/cve/CVE-2021-25215
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-30666
https://access.redhat.com/security/cve/CVE-2021-30761
https://access.redhat.com/security/cve/CVE-2021-30762
https://access.redhat.com/security/cve/CVE-2021-33928
https://access.redhat.com/security/cve/CVE-2021-33929
https://access.redhat.com/security/cve/CVE-2021-33930
https://access.redhat.com/security/cve/CVE-2021-33938
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/cve/CVE-2021-39226
https://access.redhat.com/security/cve/CVE-2021-41190
https://access.redhat.com/security/cve/CVE-2021-43813
https://access.redhat.com/security/cve/CVE-2021-44716
https://access.redhat.com/security/cve/CVE-2021-44717
https://access.redhat.com/security/cve/CVE-2022-0532
https://access.redhat.com/security/cve/CVE-2022-21673
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYipqONzjgjWX9erEAQjQcBAAgWTjA6Q2NgqfVf63ZpJF1jPurZLPqxDL
0in/5+/wqWaiQ6yk7wM3YBZgviyKnAMCVdrLsaR7R77BvfJcTE3W/fzogxpp6Rne
eGT1PTgQRecrSIn+WG4gGSteavTULWOIoPvUiNpiy3Y7fFgjFdah+Nyx3Xd+xehM
CEswylOd6Hr03KZ1tS3XL3kGL2botha48Yls7FzDFbNcy6TBAuycmQZifKu8mHaF
aDAupVJinDnnVgACeS6CnZTAD+Vrx5W7NIisteXv4x5Hy+jBIUHr8Yge3oxYoFnC
Y/XmuOw2KilLZuqFe+KHig45qT+FmNU8E1egcGpNWvmS8hGZfiG1jEQAqDPbZHxp
sQAQZLQyz3TvXa29vp4QcsUuMxndIOi+QaK75JmqE06MqMIlFDYpr6eQOIgIZvFO
RDZU/qvBjh56ypInoqInBf8KOQMy6eO+r6nFbMGcAfucXmz0EVcSP1oFHAoA1nWN
rs1Qz/SO4CvdPERxcr1MLuBLggZ6iqGmHKk5IN0SwcndBHaVJ3j/LBv9m7wBYVry
bSvojBDYx5ricbTwB5sGzu7oH5yVl813FA9cjkFpEhBiMtTfI+DKC8ssoRYNHd5Z
7gLW6KWPUIDuCIiiioPZAJMyvJ0IMrNDoQ0lhqPeV7PFdlRhT95M/DagUZOpPVuT
b5PUYUBIZLc=
=GUDA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
. ------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0006
------------------------------------------------------------------------
Date reported : November 08, 2019
Advisory ID : WSA-2019-0006
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2019-0006.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0006.html
CVE identifiers : CVE-2019-8710, CVE-2019-8743, CVE-2019-8764,
CVE-2019-8765, CVE-2019-8766, CVE-2019-8782,
CVE-2019-8783, CVE-2019-8808, CVE-2019-8811,
CVE-2019-8812, CVE-2019-8813, CVE-2019-8814,
CVE-2019-8815, CVE-2019-8816, CVE-2019-8819,
CVE-2019-8820, CVE-2019-8821, CVE-2019-8822,
CVE-2019-8823.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
CVE-2019-8710
Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
2.26.0.
Credit to found by OSS-Fuzz.
CVE-2019-8743
Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
2.26.0.
Credit to zhunki from Codesafe Team of Legendsec at Qi'anxin Group.
CVE-2019-8764
Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
2.26.0.
Credit to Sergei Glazunov of Google Project Zero.
CVE-2019-8765
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to Samuel Groß of Google Project Zero.
CVE-2019-8766
Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
2.26.0.
Credit to found by OSS-Fuzz.
CVE-2019-8782
Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
2.26.0.
Credit to Cheolung Lee of LINE+ Security Team.
CVE-2019-8783
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
2.26.1.
Credit to Cheolung Lee of LINE+ Graylab Security Team.
CVE-2019-8808
Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
2.26.0.
Credit to found by OSS-Fuzz.
CVE-2019-8811
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
2.26.1.
Credit to Soyeon Park of SSLab at Georgia Tech.
CVE-2019-8812
Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before
2.26.2.
Credit to an anonymous researcher.
CVE-2019-8813
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
2.26.1.
Credit to an anonymous researcher.
CVE-2019-8814
Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before
2.26.2.
Credit to Cheolung Lee of LINE+ Security Team.
CVE-2019-8815
Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
2.26.0.
Credit to Apple.
CVE-2019-8816
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
2.26.1.
Credit to Soyeon Park of SSLab at Georgia Tech.
CVE-2019-8819
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
2.26.1.
Credit to Cheolung Lee of LINE+ Security Team.
CVE-2019-8820
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
2.26.1.
Credit to Samuel Groß of Google Project Zero.
CVE-2019-8821
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to Sergei Glazunov of Google Project Zero.
CVE-2019-8822
Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
2.24.3.
Credit to Sergei Glazunov of Google Project Zero.
CVE-2019-8823
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
2.26.1.
Credit to Sergei Glazunov of Google Project Zero.
We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.
Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.
The WebKitGTK and WPE WebKit team,
November 08, 2019
. Bugs fixed (https://bugzilla.redhat.com/):
1823765 - nfd-workers crash under an ipv6 environment
1838802 - mysql8 connector from operatorhub does not work with metering operator
1838845 - Metering operator can't connect to postgres DB from Operator Hub
1841883 - namespace-persistentvolumeclaim-usage query returns unexpected values
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1868294 - NFD operator does not allow customisation of nfd-worker.conf
1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration
1890672 - NFD is missing a build flag to build correctly
1890741 - path to the CA trust bundle ConfigMap is broken in report operator
1897346 - NFD worker pods not scheduler on a 3 node master/worker cluster
1898373 - Metering operator failing upgrade from 4.4 to 4.6 channel
1900125 - FIPS error while generating RSA private key for CA
1906129 - OCP 4.7: Node Feature Discovery (NFD) Operator in CrashLoopBackOff when deployed from OperatorHub
1908492 - OCP 4.7: Node Feature Discovery (NFD) Operator Custom Resource Definition file in olm-catalog is not in sync with the one in manifests dir leading to failed deployment from OperatorHub
1913837 - The CI and ART 4.7 metering images are not mirrored
1914869 - OCP 4.7 NFD - Operand configuration options for NodeFeatureDiscovery are empty, no supported image for ppc64le
1916010 - olm skip range is set to the wrong range
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923998 - NFD Operator is failing to update and remains in Replacing state
5. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
GNOME is the default desktop environment of Red Hat Enterprise Linux.
The following packages have been upgraded to a later upstream version:
gnome-remote-desktop (0.1.8), pipewire (0.3.6), vte291 (0.52.4),
webkit2gtk3 (2.28.4), xdg-desktop-portal (1.6.0), xdg-desktop-portal-gtk
(1.6.0).
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.3 Release Notes linked from the References section. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
GDM must be restarted for this update to take effect. Bugs fixed (https://bugzilla.redhat.com/):
1207179 - Select items matching non existing pattern does not unselect already selected
1566027 - can't correctly compute contents size if hidden files are included
1569868 - Browsing samba shares using gvfs is very slow
1652178 - [RFE] perf-tool run on wayland
1656262 - The terminal's character display is unclear on rhel8 guest after installing gnome
1668895 - [RHEL8] Timedlogin Fails when Userlist is Disabled
1692536 - login screen shows after gnome-initial-setup
1706008 - Sound Effect sometimes fails to change to selected option.
1706076 - Automatic suspend for 90 minutes is set for 80 minutes instead.
1715845 - JS ERROR: TypeError: this._workspacesViews[i] is undefined
1719937 - GNOME Extension: Auto-Move-Windows Not Working Properly
1758891 - tracker-devel subpackage missing from el8 repos
1775345 - Rebase xdg-desktop-portal to 1.6
1778579 - Nautilus does not respect umask settings.
1779691 - Rebase xdg-desktop-portal-gtk to 1.6
1794045 - There are two different high contrast versions of desktop icons
1804719 - Update vte291 to 0.52.4
1805929 - RHEL 8.1 gnome-shell-extension errors
1811721 - CVE-2020-10018 webkitgtk: Use-after-free issue in accessibility/AXObjectCache.cpp
1814820 - No checkbox to install updates in the shutdown dialog
1816070 - "search for an application to open this file" dialog broken
1816678 - CVE-2019-8846 webkitgtk: Use after free issue may lead to remote code execution
1816684 - CVE-2019-8835 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
1816686 - CVE-2019-8844 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
1817143 - Rebase WebKitGTK to 2.28
1820759 - Include IO stall fixes
1820760 - Include IO fixes
1824362 - [BZ] Setting in gnome-tweak-tool Window List will reset upon opening
1827030 - gnome-settings-daemon: subscription notification on CentOS Stream
1829369 - CVE-2020-11793 webkitgtk: use-after-free via crafted web content
1832347 - [Rebase] Rebase pipewire to 0.3.x
1833158 - gdm-related dconf folders and keyfiles are not found in fresh 8.2 install
1837381 - Backport screen cast improvements to 8.3
1837406 - Rebase gnome-remote-desktop to PipeWire 0.3 version
1837413 - Backport changes needed by xdg-desktop-portal-gtk-1.6
1837648 - Vendor.conf should point to https://access.redhat.com/site/solutions/537113
1840080 - Can not control top bar menus via keys in Wayland
1840788 - [flatpak][rhel8] unable to build potrace as dependency
1843486 - Software crash after clicking Updates tab
1844578 - anaconda very rarely crashes at startup with a pygobject traceback
1846191 - usb adapters hotplug crashes gnome-shell
1847051 - JS ERROR: TypeError: area is null
1847061 - File search doesn't work under certain locales
1847062 - gnome-remote-desktop crash on QXL graphics
1847203 - gnome-shell: get_top_visible_window_actor(): gnome-shell killed by SIGSEGV
1853477 - CVE-2020-15503 LibRaw: lack of thumbnail size range check can lead to buffer overflow
1854734 - PipeWire 0.2 should be required by xdg-desktop-portal
1866332 - Remove obsolete libusb-devel dependency
1868260 - [Hyper-V][RHEL8] VM starts GUI failed on Hyper-V 2019/2016, hangs at "Started GNOME Display Manager" - GDM regression issue. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
LibRaw-0.19.5-2.el8.src.rpm
PackageKit-1.1.12-6.el8.src.rpm
dleyna-renderer-0.6.0-3.el8.src.rpm
frei0r-plugins-1.6.1-7.el8.src.rpm
gdm-3.28.3-34.el8.src.rpm
gnome-control-center-3.28.2-22.el8.src.rpm
gnome-photos-3.28.1-3.el8.src.rpm
gnome-remote-desktop-0.1.8-3.el8.src.rpm
gnome-session-3.28.1-10.el8.src.rpm
gnome-settings-daemon-3.32.0-11.el8.src.rpm
gnome-shell-3.32.2-20.el8.src.rpm
gnome-shell-extensions-3.32.1-11.el8.src.rpm
gnome-terminal-3.28.3-2.el8.src.rpm
gtk3-3.22.30-6.el8.src.rpm
gvfs-1.36.2-10.el8.src.rpm
mutter-3.32.2-48.el8.src.rpm
nautilus-3.28.1-14.el8.src.rpm
pipewire-0.3.6-1.el8.src.rpm
pipewire0.2-0.2.7-6.el8.src.rpm
potrace-1.15-3.el8.src.rpm
tracker-2.1.5-2.el8.src.rpm
vte291-0.52.4-2.el8.src.rpm
webkit2gtk3-2.28.4-1.el8.src.rpm
webrtc-audio-processing-0.3-9.el8.src.rpm
xdg-desktop-portal-1.6.0-2.el8.src.rpm
xdg-desktop-portal-gtk-1.6.0-1.el8.src.rpm
aarch64:
PackageKit-1.1.12-6.el8.aarch64.rpm
PackageKit-command-not-found-1.1.12-6.el8.aarch64.rpm
PackageKit-command-not-found-debuginfo-1.1.12-6.el8.aarch64.rpm
PackageKit-cron-1.1.12-6.el8.aarch64.rpm
PackageKit-debuginfo-1.1.12-6.el8.aarch64.rpm
PackageKit-debugsource-1.1.12-6.el8.aarch64.rpm
PackageKit-glib-1.1.12-6.el8.aarch64.rpm
PackageKit-glib-debuginfo-1.1.12-6.el8.aarch64.rpm
PackageKit-gstreamer-plugin-1.1.12-6.el8.aarch64.rpm
PackageKit-gstreamer-plugin-debuginfo-1.1.12-6.el8.aarch64.rpm
PackageKit-gtk3-module-1.1.12-6.el8.aarch64.rpm
PackageKit-gtk3-module-debuginfo-1.1.12-6.el8.aarch64.rpm
frei0r-plugins-1.6.1-7.el8.aarch64.rpm
frei0r-plugins-debuginfo-1.6.1-7.el8.aarch64.rpm
frei0r-plugins-debugsource-1.6.1-7.el8.aarch64.rpm
frei0r-plugins-opencv-1.6.1-7.el8.aarch64.rpm
frei0r-plugins-opencv-debuginfo-1.6.1-7.el8.aarch64.rpm
gdm-3.28.3-34.el8.aarch64.rpm
gdm-debuginfo-3.28.3-34.el8.aarch64.rpm
gdm-debugsource-3.28.3-34.el8.aarch64.rpm
gnome-control-center-3.28.2-22.el8.aarch64.rpm
gnome-control-center-debuginfo-3.28.2-22.el8.aarch64.rpm
gnome-control-center-debugsource-3.28.2-22.el8.aarch64.rpm
gnome-remote-desktop-0.1.8-3.el8.aarch64.rpm
gnome-remote-desktop-debuginfo-0.1.8-3.el8.aarch64.rpm
gnome-remote-desktop-debugsource-0.1.8-3.el8.aarch64.rpm
gnome-session-3.28.1-10.el8.aarch64.rpm
gnome-session-debuginfo-3.28.1-10.el8.aarch64.rpm
gnome-session-debugsource-3.28.1-10.el8.aarch64.rpm
gnome-session-wayland-session-3.28.1-10.el8.aarch64.rpm
gnome-session-xsession-3.28.1-10.el8.aarch64.rpm
gnome-settings-daemon-3.32.0-11.el8.aarch64.rpm
gnome-settings-daemon-debuginfo-3.32.0-11.el8.aarch64.rpm
gnome-settings-daemon-debugsource-3.32.0-11.el8.aarch64.rpm
gnome-shell-3.32.2-20.el8.aarch64.rpm
gnome-shell-debuginfo-3.32.2-20.el8.aarch64.rpm
gnome-shell-debugsource-3.32.2-20.el8.aarch64.rpm
gnome-terminal-3.28.3-2.el8.aarch64.rpm
gnome-terminal-debuginfo-3.28.3-2.el8.aarch64.rpm
gnome-terminal-debugsource-3.28.3-2.el8.aarch64.rpm
gnome-terminal-nautilus-3.28.3-2.el8.aarch64.rpm
gnome-terminal-nautilus-debuginfo-3.28.3-2.el8.aarch64.rpm
gsettings-desktop-schemas-devel-3.32.0-5.el8.aarch64.rpm
gtk-update-icon-cache-3.22.30-6.el8.aarch64.rpm
gtk-update-icon-cache-debuginfo-3.22.30-6.el8.aarch64.rpm
gtk3-3.22.30-6.el8.aarch64.rpm
gtk3-debuginfo-3.22.30-6.el8.aarch64.rpm
gtk3-debugsource-3.22.30-6.el8.aarch64.rpm
gtk3-devel-3.22.30-6.el8.aarch64.rpm
gtk3-devel-debuginfo-3.22.30-6.el8.aarch64.rpm
gtk3-immodule-xim-3.22.30-6.el8.aarch64.rpm
gtk3-immodule-xim-debuginfo-3.22.30-6.el8.aarch64.rpm
gtk3-immodules-debuginfo-3.22.30-6.el8.aarch64.rpm
gtk3-tests-debuginfo-3.22.30-6.el8.aarch64.rpm
gvfs-1.36.2-10.el8.aarch64.rpm
gvfs-afc-1.36.2-10.el8.aarch64.rpm
gvfs-afc-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-afp-1.36.2-10.el8.aarch64.rpm
gvfs-afp-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-archive-1.36.2-10.el8.aarch64.rpm
gvfs-archive-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-client-1.36.2-10.el8.aarch64.rpm
gvfs-client-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-debugsource-1.36.2-10.el8.aarch64.rpm
gvfs-devel-1.36.2-10.el8.aarch64.rpm
gvfs-fuse-1.36.2-10.el8.aarch64.rpm
gvfs-fuse-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-goa-1.36.2-10.el8.aarch64.rpm
gvfs-goa-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-gphoto2-1.36.2-10.el8.aarch64.rpm
gvfs-gphoto2-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-mtp-1.36.2-10.el8.aarch64.rpm
gvfs-mtp-debuginfo-1.36.2-10.el8.aarch64.rpm
gvfs-smb-1.36.2-10.el8.aarch64.rpm
gvfs-smb-debuginfo-1.36.2-10.el8.aarch64.rpm
libsoup-debuginfo-2.62.3-2.el8.aarch64.rpm
libsoup-debugsource-2.62.3-2.el8.aarch64.rpm
libsoup-devel-2.62.3-2.el8.aarch64.rpm
mutter-3.32.2-48.el8.aarch64.rpm
mutter-debuginfo-3.32.2-48.el8.aarch64.rpm
mutter-debugsource-3.32.2-48.el8.aarch64.rpm
mutter-tests-debuginfo-3.32.2-48.el8.aarch64.rpm
nautilus-3.28.1-14.el8.aarch64.rpm
nautilus-debuginfo-3.28.1-14.el8.aarch64.rpm
nautilus-debugsource-3.28.1-14.el8.aarch64.rpm
nautilus-extensions-3.28.1-14.el8.aarch64.rpm
nautilus-extensions-debuginfo-3.28.1-14.el8.aarch64.rpm
pipewire-0.3.6-1.el8.aarch64.rpm
pipewire-alsa-debuginfo-0.3.6-1.el8.aarch64.rpm
pipewire-debuginfo-0.3.6-1.el8.aarch64.rpm
pipewire-debugsource-0.3.6-1.el8.aarch64.rpm
pipewire-devel-0.3.6-1.el8.aarch64.rpm
pipewire-doc-0.3.6-1.el8.aarch64.rpm
pipewire-gstreamer-debuginfo-0.3.6-1.el8.aarch64.rpm
pipewire-libs-0.3.6-1.el8.aarch64.rpm
pipewire-libs-debuginfo-0.3.6-1.el8.aarch64.rpm
pipewire-utils-0.3.6-1.el8.aarch64.rpm
pipewire-utils-debuginfo-0.3.6-1.el8.aarch64.rpm
pipewire0.2-debugsource-0.2.7-6.el8.aarch64.rpm
pipewire0.2-devel-0.2.7-6.el8.aarch64.rpm
pipewire0.2-libs-0.2.7-6.el8.aarch64.rpm
pipewire0.2-libs-debuginfo-0.2.7-6.el8.aarch64.rpm
potrace-1.15-3.el8.aarch64.rpm
potrace-debuginfo-1.15-3.el8.aarch64.rpm
potrace-debugsource-1.15-3.el8.aarch64.rpm
pygobject3-debuginfo-3.28.3-2.el8.aarch64.rpm
pygobject3-debugsource-3.28.3-2.el8.aarch64.rpm
python3-gobject-3.28.3-2.el8.aarch64.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.aarch64.rpm
python3-gobject-debuginfo-3.28.3-2.el8.aarch64.rpm
tracker-2.1.5-2.el8.aarch64.rpm
tracker-debuginfo-2.1.5-2.el8.aarch64.rpm
tracker-debugsource-2.1.5-2.el8.aarch64.rpm
vte-profile-0.52.4-2.el8.aarch64.rpm
vte291-0.52.4-2.el8.aarch64.rpm
vte291-debuginfo-0.52.4-2.el8.aarch64.rpm
vte291-debugsource-0.52.4-2.el8.aarch64.rpm
vte291-devel-debuginfo-0.52.4-2.el8.aarch64.rpm
webkit2gtk3-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-debuginfo-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-debugsource-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-devel-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-devel-debuginfo-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-jsc-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-jsc-debuginfo-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-jsc-devel-2.28.4-1.el8.aarch64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.28.4-1.el8.aarch64.rpm
webrtc-audio-processing-0.3-9.el8.aarch64.rpm
webrtc-audio-processing-debuginfo-0.3-9.el8.aarch64.rpm
webrtc-audio-processing-debugsource-0.3-9.el8.aarch64.rpm
xdg-desktop-portal-1.6.0-2.el8.aarch64.rpm
xdg-desktop-portal-debuginfo-1.6.0-2.el8.aarch64.rpm
xdg-desktop-portal-debugsource-1.6.0-2.el8.aarch64.rpm
xdg-desktop-portal-gtk-1.6.0-1.el8.aarch64.rpm
xdg-desktop-portal-gtk-debuginfo-1.6.0-1.el8.aarch64.rpm
xdg-desktop-portal-gtk-debugsource-1.6.0-1.el8.aarch64.rpm
noarch:
gnome-classic-session-3.32.1-11.el8.noarch.rpm
gnome-control-center-filesystem-3.28.2-22.el8.noarch.rpm
gnome-shell-extension-apps-menu-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-auto-move-windows-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-common-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-dash-to-dock-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-desktop-icons-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-disable-screenshield-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-drive-menu-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-horizontal-workspaces-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-launch-new-instance-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-native-window-placement-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-no-hot-corner-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-panel-favorites-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-places-menu-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-screenshot-window-sizer-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-systemMonitor-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-top-icons-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-updates-dialog-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-user-theme-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-window-grouper-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-window-list-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-windowsNavigator-3.32.1-11.el8.noarch.rpm
gnome-shell-extension-workspace-indicator-3.32.1-11.el8.noarch.rpm
ppc64le:
LibRaw-0.19.5-2.el8.ppc64le.rpm
LibRaw-debuginfo-0.19.5-2.el8.ppc64le.rpm
LibRaw-debugsource-0.19.5-2.el8.ppc64le.rpm
LibRaw-samples-debuginfo-0.19.5-2.el8.ppc64le.rpm
PackageKit-1.1.12-6.el8.ppc64le.rpm
PackageKit-command-not-found-1.1.12-6.el8.ppc64le.rpm
PackageKit-command-not-found-debuginfo-1.1.12-6.el8.ppc64le.rpm
PackageKit-cron-1.1.12-6.el8.ppc64le.rpm
PackageKit-debuginfo-1.1.12-6.el8.ppc64le.rpm
PackageKit-debugsource-1.1.12-6.el8.ppc64le.rpm
PackageKit-glib-1.1.12-6.el8.ppc64le.rpm
PackageKit-glib-debuginfo-1.1.12-6.el8.ppc64le.rpm
PackageKit-gstreamer-plugin-1.1.12-6.el8.ppc64le.rpm
PackageKit-gstreamer-plugin-debuginfo-1.1.12-6.el8.ppc64le.rpm
PackageKit-gtk3-module-1.1.12-6.el8.ppc64le.rpm
PackageKit-gtk3-module-debuginfo-1.1.12-6.el8.ppc64le.rpm
dleyna-renderer-0.6.0-3.el8.ppc64le.rpm
dleyna-renderer-debuginfo-0.6.0-3.el8.ppc64le.rpm
dleyna-renderer-debugsource-0.6.0-3.el8.ppc64le.rpm
frei0r-plugins-1.6.1-7.el8.ppc64le.rpm
frei0r-plugins-debuginfo-1.6.1-7.el8.ppc64le.rpm
frei0r-plugins-debugsource-1.6.1-7.el8.ppc64le.rpm
frei0r-plugins-opencv-1.6.1-7.el8.ppc64le.rpm
frei0r-plugins-opencv-debuginfo-1.6.1-7.el8.ppc64le.rpm
gdm-3.28.3-34.el8.ppc64le.rpm
gdm-debuginfo-3.28.3-34.el8.ppc64le.rpm
gdm-debugsource-3.28.3-34.el8.ppc64le.rpm
gnome-control-center-3.28.2-22.el8.ppc64le.rpm
gnome-control-center-debuginfo-3.28.2-22.el8.ppc64le.rpm
gnome-control-center-debugsource-3.28.2-22.el8.ppc64le.rpm
gnome-photos-3.28.1-3.el8.ppc64le.rpm
gnome-photos-debuginfo-3.28.1-3.el8.ppc64le.rpm
gnome-photos-debugsource-3.28.1-3.el8.ppc64le.rpm
gnome-photos-tests-3.28.1-3.el8.ppc64le.rpm
gnome-remote-desktop-0.1.8-3.el8.ppc64le.rpm
gnome-remote-desktop-debuginfo-0.1.8-3.el8.ppc64le.rpm
gnome-remote-desktop-debugsource-0.1.8-3.el8.ppc64le.rpm
gnome-session-3.28.1-10.el8.ppc64le.rpm
gnome-session-debuginfo-3.28.1-10.el8.ppc64le.rpm
gnome-session-debugsource-3.28.1-10.el8.ppc64le.rpm
gnome-session-wayland-session-3.28.1-10.el8.ppc64le.rpm
gnome-session-xsession-3.28.1-10.el8.ppc64le.rpm
gnome-settings-daemon-3.32.0-11.el8.ppc64le.rpm
gnome-settings-daemon-debuginfo-3.32.0-11.el8.ppc64le.rpm
gnome-settings-daemon-debugsource-3.32.0-11.el8.ppc64le.rpm
gnome-shell-3.32.2-20.el8.ppc64le.rpm
gnome-shell-debuginfo-3.32.2-20.el8.ppc64le.rpm
gnome-shell-debugsource-3.32.2-20.el8.ppc64le.rpm
gnome-terminal-3.28.3-2.el8.ppc64le.rpm
gnome-terminal-debuginfo-3.28.3-2.el8.ppc64le.rpm
gnome-terminal-debugsource-3.28.3-2.el8.ppc64le.rpm
gnome-terminal-nautilus-3.28.3-2.el8.ppc64le.rpm
gnome-terminal-nautilus-debuginfo-3.28.3-2.el8.ppc64le.rpm
gsettings-desktop-schemas-devel-3.32.0-5.el8.ppc64le.rpm
gtk-update-icon-cache-3.22.30-6.el8.ppc64le.rpm
gtk-update-icon-cache-debuginfo-3.22.30-6.el8.ppc64le.rpm
gtk3-3.22.30-6.el8.ppc64le.rpm
gtk3-debuginfo-3.22.30-6.el8.ppc64le.rpm
gtk3-debugsource-3.22.30-6.el8.ppc64le.rpm
gtk3-devel-3.22.30-6.el8.ppc64le.rpm
gtk3-devel-debuginfo-3.22.30-6.el8.ppc64le.rpm
gtk3-immodule-xim-3.22.30-6.el8.ppc64le.rpm
gtk3-immodule-xim-debuginfo-3.22.30-6.el8.ppc64le.rpm
gtk3-immodules-debuginfo-3.22.30-6.el8.ppc64le.rpm
gtk3-tests-debuginfo-3.22.30-6.el8.ppc64le.rpm
gvfs-1.36.2-10.el8.ppc64le.rpm
gvfs-afc-1.36.2-10.el8.ppc64le.rpm
gvfs-afc-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-afp-1.36.2-10.el8.ppc64le.rpm
gvfs-afp-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-archive-1.36.2-10.el8.ppc64le.rpm
gvfs-archive-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-client-1.36.2-10.el8.ppc64le.rpm
gvfs-client-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-debugsource-1.36.2-10.el8.ppc64le.rpm
gvfs-devel-1.36.2-10.el8.ppc64le.rpm
gvfs-fuse-1.36.2-10.el8.ppc64le.rpm
gvfs-fuse-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-goa-1.36.2-10.el8.ppc64le.rpm
gvfs-goa-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-gphoto2-1.36.2-10.el8.ppc64le.rpm
gvfs-gphoto2-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-mtp-1.36.2-10.el8.ppc64le.rpm
gvfs-mtp-debuginfo-1.36.2-10.el8.ppc64le.rpm
gvfs-smb-1.36.2-10.el8.ppc64le.rpm
gvfs-smb-debuginfo-1.36.2-10.el8.ppc64le.rpm
libsoup-debuginfo-2.62.3-2.el8.ppc64le.rpm
libsoup-debugsource-2.62.3-2.el8.ppc64le.rpm
libsoup-devel-2.62.3-2.el8.ppc64le.rpm
mutter-3.32.2-48.el8.ppc64le.rpm
mutter-debuginfo-3.32.2-48.el8.ppc64le.rpm
mutter-debugsource-3.32.2-48.el8.ppc64le.rpm
mutter-tests-debuginfo-3.32.2-48.el8.ppc64le.rpm
nautilus-3.28.1-14.el8.ppc64le.rpm
nautilus-debuginfo-3.28.1-14.el8.ppc64le.rpm
nautilus-debugsource-3.28.1-14.el8.ppc64le.rpm
nautilus-extensions-3.28.1-14.el8.ppc64le.rpm
nautilus-extensions-debuginfo-3.28.1-14.el8.ppc64le.rpm
pipewire-0.3.6-1.el8.ppc64le.rpm
pipewire-alsa-debuginfo-0.3.6-1.el8.ppc64le.rpm
pipewire-debuginfo-0.3.6-1.el8.ppc64le.rpm
pipewire-debugsource-0.3.6-1.el8.ppc64le.rpm
pipewire-devel-0.3.6-1.el8.ppc64le.rpm
pipewire-doc-0.3.6-1.el8.ppc64le.rpm
pipewire-gstreamer-debuginfo-0.3.6-1.el8.ppc64le.rpm
pipewire-libs-0.3.6-1.el8.ppc64le.rpm
pipewire-libs-debuginfo-0.3.6-1.el8.ppc64le.rpm
pipewire-utils-0.3.6-1.el8.ppc64le.rpm
pipewire-utils-debuginfo-0.3.6-1.el8.ppc64le.rpm
pipewire0.2-debugsource-0.2.7-6.el8.ppc64le.rpm
pipewire0.2-devel-0.2.7-6.el8.ppc64le.rpm
pipewire0.2-libs-0.2.7-6.el8.ppc64le.rpm
pipewire0.2-libs-debuginfo-0.2.7-6.el8.ppc64le.rpm
potrace-1.15-3.el8.ppc64le.rpm
potrace-debuginfo-1.15-3.el8.ppc64le.rpm
potrace-debugsource-1.15-3.el8.ppc64le.rpm
pygobject3-debuginfo-3.28.3-2.el8.ppc64le.rpm
pygobject3-debugsource-3.28.3-2.el8.ppc64le.rpm
python3-gobject-3.28.3-2.el8.ppc64le.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.ppc64le.rpm
python3-gobject-debuginfo-3.28.3-2.el8.ppc64le.rpm
tracker-2.1.5-2.el8.ppc64le.rpm
tracker-debuginfo-2.1.5-2.el8.ppc64le.rpm
tracker-debugsource-2.1.5-2.el8.ppc64le.rpm
vte-profile-0.52.4-2.el8.ppc64le.rpm
vte291-0.52.4-2.el8.ppc64le.rpm
vte291-debuginfo-0.52.4-2.el8.ppc64le.rpm
vte291-debugsource-0.52.4-2.el8.ppc64le.rpm
vte291-devel-debuginfo-0.52.4-2.el8.ppc64le.rpm
webkit2gtk3-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-debuginfo-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-debugsource-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-devel-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-devel-debuginfo-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-jsc-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-jsc-debuginfo-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-jsc-devel-2.28.4-1.el8.ppc64le.rpm
webkit2gtk3-jsc-devel-debuginfo-2.28.4-1.el8.ppc64le.rpm
webrtc-audio-processing-0.3-9.el8.ppc64le.rpm
webrtc-audio-processing-debuginfo-0.3-9.el8.ppc64le.rpm
webrtc-audio-processing-debugsource-0.3-9.el8.ppc64le.rpm
xdg-desktop-portal-1.6.0-2.el8.ppc64le.rpm
xdg-desktop-portal-debuginfo-1.6.0-2.el8.ppc64le.rpm
xdg-desktop-portal-debugsource-1.6.0-2.el8.ppc64le.rpm
xdg-desktop-portal-gtk-1.6.0-1.el8.ppc64le.rpm
xdg-desktop-portal-gtk-debuginfo-1.6.0-1.el8.ppc64le.rpm
xdg-desktop-portal-gtk-debugsource-1.6.0-1.el8.ppc64le.rpm
s390x:
PackageKit-1.1.12-6.el8.s390x.rpm
PackageKit-command-not-found-1.1.12-6.el8.s390x.rpm
PackageKit-command-not-found-debuginfo-1.1.12-6.el8.s390x.rpm
PackageKit-cron-1.1.12-6.el8.s390x.rpm
PackageKit-debuginfo-1.1.12-6.el8.s390x.rpm
PackageKit-debugsource-1.1.12-6.el8.s390x.rpm
PackageKit-glib-1.1.12-6.el8.s390x.rpm
PackageKit-glib-debuginfo-1.1.12-6.el8.s390x.rpm
PackageKit-gstreamer-plugin-1.1.12-6.el8.s390x.rpm
PackageKit-gstreamer-plugin-debuginfo-1.1.12-6.el8.s390x.rpm
PackageKit-gtk3-module-1.1.12-6.el8.s390x.rpm
PackageKit-gtk3-module-debuginfo-1.1.12-6.el8.s390x.rpm
frei0r-plugins-1.6.1-7.el8.s390x.rpm
frei0r-plugins-debuginfo-1.6.1-7.el8.s390x.rpm
frei0r-plugins-debugsource-1.6.1-7.el8.s390x.rpm
frei0r-plugins-opencv-1.6.1-7.el8.s390x.rpm
frei0r-plugins-opencv-debuginfo-1.6.1-7.el8.s390x.rpm
gdm-3.28.3-34.el8.s390x.rpm
gdm-debuginfo-3.28.3-34.el8.s390x.rpm
gdm-debugsource-3.28.3-34.el8.s390x.rpm
gnome-control-center-3.28.2-22.el8.s390x.rpm
gnome-control-center-debuginfo-3.28.2-22.el8.s390x.rpm
gnome-control-center-debugsource-3.28.2-22.el8.s390x.rpm
gnome-remote-desktop-0.1.8-3.el8.s390x.rpm
gnome-remote-desktop-debuginfo-0.1.8-3.el8.s390x.rpm
gnome-remote-desktop-debugsource-0.1.8-3.el8.s390x.rpm
gnome-session-3.28.1-10.el8.s390x.rpm
gnome-session-debuginfo-3.28.1-10.el8.s390x.rpm
gnome-session-debugsource-3.28.1-10.el8.s390x.rpm
gnome-session-wayland-session-3.28.1-10.el8.s390x.rpm
gnome-session-xsession-3.28.1-10.el8.s390x.rpm
gnome-settings-daemon-3.32.0-11.el8.s390x.rpm
gnome-settings-daemon-debuginfo-3.32.0-11.el8.s390x.rpm
gnome-settings-daemon-debugsource-3.32.0-11.el8.s390x.rpm
gnome-shell-3.32.2-20.el8.s390x.rpm
gnome-shell-debuginfo-3.32.2-20.el8.s390x.rpm
gnome-shell-debugsource-3.32.2-20.el8.s390x.rpm
gnome-terminal-3.28.3-2.el8.s390x.rpm
gnome-terminal-debuginfo-3.28.3-2.el8.s390x.rpm
gnome-terminal-debugsource-3.28.3-2.el8.s390x.rpm
gnome-terminal-nautilus-3.28.3-2.el8.s390x.rpm
gnome-terminal-nautilus-debuginfo-3.28.3-2.el8.s390x.rpm
gsettings-desktop-schemas-devel-3.32.0-5.el8.s390x.rpm
gtk-update-icon-cache-3.22.30-6.el8.s390x.rpm
gtk-update-icon-cache-debuginfo-3.22.30-6.el8.s390x.rpm
gtk3-3.22.30-6.el8.s390x.rpm
gtk3-debuginfo-3.22.30-6.el8.s390x.rpm
gtk3-debugsource-3.22.30-6.el8.s390x.rpm
gtk3-devel-3.22.30-6.el8.s390x.rpm
gtk3-devel-debuginfo-3.22.30-6.el8.s390x.rpm
gtk3-immodule-xim-3.22.30-6.el8.s390x.rpm
gtk3-immodule-xim-debuginfo-3.22.30-6.el8.s390x.rpm
gtk3-immodules-debuginfo-3.22.30-6.el8.s390x.rpm
gtk3-tests-debuginfo-3.22.30-6.el8.s390x.rpm
gvfs-1.36.2-10.el8.s390x.rpm
gvfs-afp-1.36.2-10.el8.s390x.rpm
gvfs-afp-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-archive-1.36.2-10.el8.s390x.rpm
gvfs-archive-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-client-1.36.2-10.el8.s390x.rpm
gvfs-client-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-debugsource-1.36.2-10.el8.s390x.rpm
gvfs-devel-1.36.2-10.el8.s390x.rpm
gvfs-fuse-1.36.2-10.el8.s390x.rpm
gvfs-fuse-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-goa-1.36.2-10.el8.s390x.rpm
gvfs-goa-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-gphoto2-1.36.2-10.el8.s390x.rpm
gvfs-gphoto2-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-mtp-1.36.2-10.el8.s390x.rpm
gvfs-mtp-debuginfo-1.36.2-10.el8.s390x.rpm
gvfs-smb-1.36.2-10.el8.s390x.rpm
gvfs-smb-debuginfo-1.36.2-10.el8.s390x.rpm
libsoup-debuginfo-2.62.3-2.el8.s390x.rpm
libsoup-debugsource-2.62.3-2.el8.s390x.rpm
libsoup-devel-2.62.3-2.el8.s390x.rpm
mutter-3.32.2-48.el8.s390x.rpm
mutter-debuginfo-3.32.2-48.el8.s390x.rpm
mutter-debugsource-3.32.2-48.el8.s390x.rpm
mutter-tests-debuginfo-3.32.2-48.el8.s390x.rpm
nautilus-3.28.1-14.el8.s390x.rpm
nautilus-debuginfo-3.28.1-14.el8.s390x.rpm
nautilus-debugsource-3.28.1-14.el8.s390x.rpm
nautilus-extensions-3.28.1-14.el8.s390x.rpm
nautilus-extensions-debuginfo-3.28.1-14.el8.s390x.rpm
pipewire-0.3.6-1.el8.s390x.rpm
pipewire-alsa-debuginfo-0.3.6-1.el8.s390x.rpm
pipewire-debuginfo-0.3.6-1.el8.s390x.rpm
pipewire-debugsource-0.3.6-1.el8.s390x.rpm
pipewire-devel-0.3.6-1.el8.s390x.rpm
pipewire-gstreamer-debuginfo-0.3.6-1.el8.s390x.rpm
pipewire-libs-0.3.6-1.el8.s390x.rpm
pipewire-libs-debuginfo-0.3.6-1.el8.s390x.rpm
pipewire-utils-0.3.6-1.el8.s390x.rpm
pipewire-utils-debuginfo-0.3.6-1.el8.s390x.rpm
pipewire0.2-debugsource-0.2.7-6.el8.s390x.rpm
pipewire0.2-devel-0.2.7-6.el8.s390x.rpm
pipewire0.2-libs-0.2.7-6.el8.s390x.rpm
pipewire0.2-libs-debuginfo-0.2.7-6.el8.s390x.rpm
potrace-1.15-3.el8.s390x.rpm
potrace-debuginfo-1.15-3.el8.s390x.rpm
potrace-debugsource-1.15-3.el8.s390x.rpm
pygobject3-debuginfo-3.28.3-2.el8.s390x.rpm
pygobject3-debugsource-3.28.3-2.el8.s390x.rpm
python3-gobject-3.28.3-2.el8.s390x.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.s390x.rpm
python3-gobject-debuginfo-3.28.3-2.el8.s390x.rpm
tracker-2.1.5-2.el8.s390x.rpm
tracker-debuginfo-2.1.5-2.el8.s390x.rpm
tracker-debugsource-2.1.5-2.el8.s390x.rpm
vte-profile-0.52.4-2.el8.s390x.rpm
vte291-0.52.4-2.el8.s390x.rpm
vte291-debuginfo-0.52.4-2.el8.s390x.rpm
vte291-debugsource-0.52.4-2.el8.s390x.rpm
vte291-devel-debuginfo-0.52.4-2.el8.s390x.rpm
webkit2gtk3-2.28.4-1.el8.s390x.rpm
webkit2gtk3-debuginfo-2.28.4-1.el8.s390x.rpm
webkit2gtk3-debugsource-2.28.4-1.el8.s390x.rpm
webkit2gtk3-devel-2.28.4-1.el8.s390x.rpm
webkit2gtk3-devel-debuginfo-2.28.4-1.el8.s390x.rpm
webkit2gtk3-jsc-2.28.4-1.el8.s390x.rpm
webkit2gtk3-jsc-debuginfo-2.28.4-1.el8.s390x.rpm
webkit2gtk3-jsc-devel-2.28.4-1.el8.s390x.rpm
webkit2gtk3-jsc-devel-debuginfo-2.28.4-1.el8.s390x.rpm
webrtc-audio-processing-0.3-9.el8.s390x.rpm
webrtc-audio-processing-debuginfo-0.3-9.el8.s390x.rpm
webrtc-audio-processing-debugsource-0.3-9.el8.s390x.rpm
xdg-desktop-portal-1.6.0-2.el8.s390x.rpm
xdg-desktop-portal-debuginfo-1.6.0-2.el8.s390x.rpm
xdg-desktop-portal-debugsource-1.6.0-2.el8.s390x.rpm
xdg-desktop-portal-gtk-1.6.0-1.el8.s390x.rpm
xdg-desktop-portal-gtk-debuginfo-1.6.0-1.el8.s390x.rpm
xdg-desktop-portal-gtk-debugsource-1.6.0-1.el8.s390x.rpm
x86_64:
LibRaw-0.19.5-2.el8.i686.rpm
LibRaw-0.19.5-2.el8.x86_64.rpm
LibRaw-debuginfo-0.19.5-2.el8.i686.rpm
LibRaw-debuginfo-0.19.5-2.el8.x86_64.rpm
LibRaw-debugsource-0.19.5-2.el8.i686.rpm
LibRaw-debugsource-0.19.5-2.el8.x86_64.rpm
LibRaw-samples-debuginfo-0.19.5-2.el8.i686.rpm
LibRaw-samples-debuginfo-0.19.5-2.el8.x86_64.rpm
PackageKit-1.1.12-6.el8.x86_64.rpm
PackageKit-command-not-found-1.1.12-6.el8.x86_64.rpm
PackageKit-command-not-found-debuginfo-1.1.12-6.el8.i686.rpm
PackageKit-command-not-found-debuginfo-1.1.12-6.el8.x86_64.rpm
PackageKit-cron-1.1.12-6.el8.x86_64.rpm
PackageKit-debuginfo-1.1.12-6.el8.i686.rpm
PackageKit-debuginfo-1.1.12-6.el8.x86_64.rpm
PackageKit-debugsource-1.1.12-6.el8.i686.rpm
PackageKit-debugsource-1.1.12-6.el8.x86_64.rpm
PackageKit-glib-1.1.12-6.el8.i686.rpm
PackageKit-glib-1.1.12-6.el8.x86_64.rpm
PackageKit-glib-debuginfo-1.1.12-6.el8.i686.rpm
PackageKit-glib-debuginfo-1.1.12-6.el8.x86_64.rpm
PackageKit-gstreamer-plugin-1.1.12-6.el8.x86_64.rpm
PackageKit-gstreamer-plugin-debuginfo-1.1.12-6.el8.i686.rpm
PackageKit-gstreamer-plugin-debuginfo-1.1.12-6.el8.x86_64.rpm
PackageKit-gtk3-module-1.1.12-6.el8.i686.rpm
PackageKit-gtk3-module-1.1.12-6.el8.x86_64.rpm
PackageKit-gtk3-module-debuginfo-1.1.12-6.el8.i686.rpm
PackageKit-gtk3-module-debuginfo-1.1.12-6.el8.x86_64.rpm
dleyna-renderer-0.6.0-3.el8.x86_64.rpm
dleyna-renderer-debuginfo-0.6.0-3.el8.x86_64.rpm
dleyna-renderer-debugsource-0.6.0-3.el8.x86_64.rpm
frei0r-plugins-1.6.1-7.el8.x86_64.rpm
frei0r-plugins-debuginfo-1.6.1-7.el8.x86_64.rpm
frei0r-plugins-debugsource-1.6.1-7.el8.x86_64.rpm
frei0r-plugins-opencv-1.6.1-7.el8.x86_64.rpm
frei0r-plugins-opencv-debuginfo-1.6.1-7.el8.x86_64.rpm
gdm-3.28.3-34.el8.i686.rpm
gdm-3.28.3-34.el8.x86_64.rpm
gdm-debuginfo-3.28.3-34.el8.i686.rpm
gdm-debuginfo-3.28.3-34.el8.x86_64.rpm
gdm-debugsource-3.28.3-34.el8.i686.rpm
gdm-debugsource-3.28.3-34.el8.x86_64.rpm
gnome-control-center-3.28.2-22.el8.x86_64.rpm
gnome-control-center-debuginfo-3.28.2-22.el8.x86_64.rpm
gnome-control-center-debugsource-3.28.2-22.el8.x86_64.rpm
gnome-photos-3.28.1-3.el8.x86_64.rpm
gnome-photos-debuginfo-3.28.1-3.el8.x86_64.rpm
gnome-photos-debugsource-3.28.1-3.el8.x86_64.rpm
gnome-photos-tests-3.28.1-3.el8.x86_64.rpm
gnome-remote-desktop-0.1.8-3.el8.x86_64.rpm
gnome-remote-desktop-debuginfo-0.1.8-3.el8.x86_64.rpm
gnome-remote-desktop-debugsource-0.1.8-3.el8.x86_64.rpm
gnome-session-3.28.1-10.el8.x86_64.rpm
gnome-session-debuginfo-3.28.1-10.el8.x86_64.rpm
gnome-session-debugsource-3.28.1-10.el8.x86_64.rpm
gnome-session-wayland-session-3.28.1-10.el8.x86_64.rpm
gnome-session-xsession-3.28.1-10.el8.x86_64.rpm
gnome-settings-daemon-3.32.0-11.el8.x86_64.rpm
gnome-settings-daemon-debuginfo-3.32.0-11.el8.x86_64.rpm
gnome-settings-daemon-debugsource-3.32.0-11.el8.x86_64.rpm
gnome-shell-3.32.2-20.el8.x86_64.rpm
gnome-shell-debuginfo-3.32.2-20.el8.x86_64.rpm
gnome-shell-debugsource-3.32.2-20.el8.x86_64.rpm
gnome-terminal-3.28.3-2.el8.x86_64.rpm
gnome-terminal-debuginfo-3.28.3-2.el8.x86_64.rpm
gnome-terminal-debugsource-3.28.3-2.el8.x86_64.rpm
gnome-terminal-nautilus-3.28.3-2.el8.x86_64.rpm
gnome-terminal-nautilus-debuginfo-3.28.3-2.el8.x86_64.rpm
gsettings-desktop-schemas-3.32.0-5.el8.i686.rpm
gsettings-desktop-schemas-devel-3.32.0-5.el8.i686.rpm
gsettings-desktop-schemas-devel-3.32.0-5.el8.x86_64.rpm
gtk-update-icon-cache-3.22.30-6.el8.x86_64.rpm
gtk-update-icon-cache-debuginfo-3.22.30-6.el8.i686.rpm
gtk-update-icon-cache-debuginfo-3.22.30-6.el8.x86_64.rpm
gtk3-3.22.30-6.el8.i686.rpm
gtk3-3.22.30-6.el8.x86_64.rpm
gtk3-debuginfo-3.22.30-6.el8.i686.rpm
gtk3-debuginfo-3.22.30-6.el8.x86_64.rpm
gtk3-debugsource-3.22.30-6.el8.i686.rpm
gtk3-debugsource-3.22.30-6.el8.x86_64.rpm
gtk3-devel-3.22.30-6.el8.i686.rpm
gtk3-devel-3.22.30-6.el8.x86_64.rpm
gtk3-devel-debuginfo-3.22.30-6.el8.i686.rpm
gtk3-devel-debuginfo-3.22.30-6.el8.x86_64.rpm
gtk3-immodule-xim-3.22.30-6.el8.x86_64.rpm
gtk3-immodule-xim-debuginfo-3.22.30-6.el8.i686.rpm
gtk3-immodule-xim-debuginfo-3.22.30-6.el8.x86_64.rpm
gtk3-immodules-debuginfo-3.22.30-6.el8.i686.rpm
gtk3-immodules-debuginfo-3.22.30-6.el8.x86_64.rpm
gtk3-tests-debuginfo-3.22.30-6.el8.i686.rpm
gtk3-tests-debuginfo-3.22.30-6.el8.x86_64.rpm
gvfs-1.36.2-10.el8.x86_64.rpm
gvfs-afc-1.36.2-10.el8.x86_64.rpm
gvfs-afc-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-afc-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-afp-1.36.2-10.el8.x86_64.rpm
gvfs-afp-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-afp-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-archive-1.36.2-10.el8.x86_64.rpm
gvfs-archive-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-archive-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-client-1.36.2-10.el8.i686.rpm
gvfs-client-1.36.2-10.el8.x86_64.rpm
gvfs-client-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-client-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-debugsource-1.36.2-10.el8.i686.rpm
gvfs-debugsource-1.36.2-10.el8.x86_64.rpm
gvfs-devel-1.36.2-10.el8.i686.rpm
gvfs-devel-1.36.2-10.el8.x86_64.rpm
gvfs-fuse-1.36.2-10.el8.x86_64.rpm
gvfs-fuse-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-fuse-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-goa-1.36.2-10.el8.x86_64.rpm
gvfs-goa-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-goa-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-gphoto2-1.36.2-10.el8.x86_64.rpm
gvfs-gphoto2-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-gphoto2-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-mtp-1.36.2-10.el8.x86_64.rpm
gvfs-mtp-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-mtp-debuginfo-1.36.2-10.el8.x86_64.rpm
gvfs-smb-1.36.2-10.el8.x86_64.rpm
gvfs-smb-debuginfo-1.36.2-10.el8.i686.rpm
gvfs-smb-debuginfo-1.36.2-10.el8.x86_64.rpm
libsoup-debuginfo-2.62.3-2.el8.i686.rpm
libsoup-debuginfo-2.62.3-2.el8.x86_64.rpm
libsoup-debugsource-2.62.3-2.el8.i686.rpm
libsoup-debugsource-2.62.3-2.el8.x86_64.rpm
libsoup-devel-2.62.3-2.el8.i686.rpm
libsoup-devel-2.62.3-2.el8.x86_64.rpm
mutter-3.32.2-48.el8.i686.rpm
mutter-3.32.2-48.el8.x86_64.rpm
mutter-debuginfo-3.32.2-48.el8.i686.rpm
mutter-debuginfo-3.32.2-48.el8.x86_64.rpm
mutter-debugsource-3.32.2-48.el8.i686.rpm
mutter-debugsource-3.32.2-48.el8.x86_64.rpm
mutter-tests-debuginfo-3.32.2-48.el8.i686.rpm
mutter-tests-debuginfo-3.32.2-48.el8.x86_64.rpm
nautilus-3.28.1-14.el8.x86_64.rpm
nautilus-debuginfo-3.28.1-14.el8.i686.rpm
nautilus-debuginfo-3.28.1-14.el8.x86_64.rpm
nautilus-debugsource-3.28.1-14.el8.i686.rpm
nautilus-debugsource-3.28.1-14.el8.x86_64.rpm
nautilus-extensions-3.28.1-14.el8.i686.rpm
nautilus-extensions-3.28.1-14.el8.x86_64.rpm
nautilus-extensions-debuginfo-3.28.1-14.el8.i686.rpm
nautilus-extensions-debuginfo-3.28.1-14.el8.x86_64.rpm
pipewire-0.3.6-1.el8.i686.rpm
pipewire-0.3.6-1.el8.x86_64.rpm
pipewire-alsa-debuginfo-0.3.6-1.el8.i686.rpm
pipewire-alsa-debuginfo-0.3.6-1.el8.x86_64.rpm
pipewire-debuginfo-0.3.6-1.el8.i686.rpm
pipewire-debuginfo-0.3.6-1.el8.x86_64.rpm
pipewire-debugsource-0.3.6-1.el8.i686.rpm
pipewire-debugsource-0.3.6-1.el8.x86_64.rpm
pipewire-devel-0.3.6-1.el8.i686.rpm
pipewire-devel-0.3.6-1.el8.x86_64.rpm
pipewire-doc-0.3.6-1.el8.x86_64.rpm
pipewire-gstreamer-debuginfo-0.3.6-1.el8.i686.rpm
pipewire-gstreamer-debuginfo-0.3.6-1.el8.x86_64.rpm
pipewire-libs-0.3.6-1.el8.i686.rpm
pipewire-libs-0.3.6-1.el8.x86_64.rpm
pipewire-libs-debuginfo-0.3.6-1.el8.i686.rpm
pipewire-libs-debuginfo-0.3.6-1.el8.x86_64.rpm
pipewire-utils-0.3.6-1.el8.x86_64.rpm
pipewire-utils-debuginfo-0.3.6-1.el8.i686.rpm
pipewire-utils-debuginfo-0.3.6-1.el8.x86_64.rpm
pipewire0.2-debugsource-0.2.7-6.el8.i686.rpm
pipewire0.2-debugsource-0.2.7-6.el8.x86_64.rpm
pipewire0.2-devel-0.2.7-6.el8.i686.rpm
pipewire0.2-devel-0.2.7-6.el8.x86_64.rpm
pipewire0.2-libs-0.2.7-6.el8.i686.rpm
pipewire0.2-libs-0.2.7-6.el8.x86_64.rpm
pipewire0.2-libs-debuginfo-0.2.7-6.el8.i686.rpm
pipewire0.2-libs-debuginfo-0.2.7-6.el8.x86_64.rpm
potrace-1.15-3.el8.i686.rpm
potrace-1.15-3.el8.x86_64.rpm
potrace-debuginfo-1.15-3.el8.i686.rpm
potrace-debuginfo-1.15-3.el8.x86_64.rpm
potrace-debugsource-1.15-3.el8.i686.rpm
potrace-debugsource-1.15-3.el8.x86_64.rpm
pygobject3-debuginfo-3.28.3-2.el8.i686.rpm
pygobject3-debuginfo-3.28.3-2.el8.x86_64.rpm
pygobject3-debugsource-3.28.3-2.el8.i686.rpm
pygobject3-debugsource-3.28.3-2.el8.x86_64.rpm
python3-gobject-3.28.3-2.el8.i686.rpm
python3-gobject-3.28.3-2.el8.x86_64.rpm
python3-gobject-base-3.28.3-2.el8.i686.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.i686.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.x86_64.rpm
python3-gobject-debuginfo-3.28.3-2.el8.i686.rpm
python3-gobject-debuginfo-3.28.3-2.el8.x86_64.rpm
tracker-2.1.5-2.el8.i686.rpm
tracker-2.1.5-2.el8.x86_64.rpm
tracker-debuginfo-2.1.5-2.el8.i686.rpm
tracker-debuginfo-2.1.5-2.el8.x86_64.rpm
tracker-debugsource-2.1.5-2.el8.i686.rpm
tracker-debugsource-2.1.5-2.el8.x86_64.rpm
vte-profile-0.52.4-2.el8.x86_64.rpm
vte291-0.52.4-2.el8.i686.rpm
vte291-0.52.4-2.el8.x86_64.rpm
vte291-debuginfo-0.52.4-2.el8.i686.rpm
vte291-debuginfo-0.52.4-2.el8.x86_64.rpm
vte291-debugsource-0.52.4-2.el8.i686.rpm
vte291-debugsource-0.52.4-2.el8.x86_64.rpm
vte291-devel-debuginfo-0.52.4-2.el8.i686.rpm
vte291-devel-debuginfo-0.52.4-2.el8.x86_64.rpm
webkit2gtk3-2.28.4-1.el8.i686.rpm
webkit2gtk3-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-debuginfo-2.28.4-1.el8.i686.rpm
webkit2gtk3-debuginfo-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-debugsource-2.28.4-1.el8.i686.rpm
webkit2gtk3-debugsource-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-devel-2.28.4-1.el8.i686.rpm
webkit2gtk3-devel-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-devel-debuginfo-2.28.4-1.el8.i686.rpm
webkit2gtk3-devel-debuginfo-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-jsc-2.28.4-1.el8.i686.rpm
webkit2gtk3-jsc-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-jsc-debuginfo-2.28.4-1.el8.i686.rpm
webkit2gtk3-jsc-debuginfo-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-jsc-devel-2.28.4-1.el8.i686.rpm
webkit2gtk3-jsc-devel-2.28.4-1.el8.x86_64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.28.4-1.el8.i686.rpm
webkit2gtk3-jsc-devel-debuginfo-2.28.4-1.el8.x86_64.rpm
webrtc-audio-processing-0.3-9.el8.i686.rpm
webrtc-audio-processing-0.3-9.el8.x86_64.rpm
webrtc-audio-processing-debuginfo-0.3-9.el8.i686.rpm
webrtc-audio-processing-debuginfo-0.3-9.el8.x86_64.rpm
webrtc-audio-processing-debugsource-0.3-9.el8.i686.rpm
webrtc-audio-processing-debugsource-0.3-9.el8.x86_64.rpm
xdg-desktop-portal-1.6.0-2.el8.x86_64.rpm
xdg-desktop-portal-debuginfo-1.6.0-2.el8.x86_64.rpm
xdg-desktop-portal-debugsource-1.6.0-2.el8.x86_64.rpm
xdg-desktop-portal-gtk-1.6.0-1.el8.x86_64.rpm
xdg-desktop-portal-gtk-debuginfo-1.6.0-1.el8.x86_64.rpm
xdg-desktop-portal-gtk-debugsource-1.6.0-1.el8.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
gsettings-desktop-schemas-3.32.0-5.el8.src.rpm
libsoup-2.62.3-2.el8.src.rpm
pygobject3-3.28.3-2.el8.src.rpm
aarch64:
gsettings-desktop-schemas-3.32.0-5.el8.aarch64.rpm
libsoup-2.62.3-2.el8.aarch64.rpm
libsoup-debuginfo-2.62.3-2.el8.aarch64.rpm
libsoup-debugsource-2.62.3-2.el8.aarch64.rpm
pygobject3-debuginfo-3.28.3-2.el8.aarch64.rpm
pygobject3-debugsource-3.28.3-2.el8.aarch64.rpm
python3-gobject-base-3.28.3-2.el8.aarch64.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.aarch64.rpm
python3-gobject-debuginfo-3.28.3-2.el8.aarch64.rpm
ppc64le:
gsettings-desktop-schemas-3.32.0-5.el8.ppc64le.rpm
libsoup-2.62.3-2.el8.ppc64le.rpm
libsoup-debuginfo-2.62.3-2.el8.ppc64le.rpm
libsoup-debugsource-2.62.3-2.el8.ppc64le.rpm
pygobject3-debuginfo-3.28.3-2.el8.ppc64le.rpm
pygobject3-debugsource-3.28.3-2.el8.ppc64le.rpm
python3-gobject-base-3.28.3-2.el8.ppc64le.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.ppc64le.rpm
python3-gobject-debuginfo-3.28.3-2.el8.ppc64le.rpm
s390x:
gsettings-desktop-schemas-3.32.0-5.el8.s390x.rpm
libsoup-2.62.3-2.el8.s390x.rpm
libsoup-debuginfo-2.62.3-2.el8.s390x.rpm
libsoup-debugsource-2.62.3-2.el8.s390x.rpm
pygobject3-debuginfo-3.28.3-2.el8.s390x.rpm
pygobject3-debugsource-3.28.3-2.el8.s390x.rpm
python3-gobject-base-3.28.3-2.el8.s390x.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.s390x.rpm
python3-gobject-debuginfo-3.28.3-2.el8.s390x.rpm
x86_64:
gsettings-desktop-schemas-3.32.0-5.el8.x86_64.rpm
libsoup-2.62.3-2.el8.i686.rpm
libsoup-2.62.3-2.el8.x86_64.rpm
libsoup-debuginfo-2.62.3-2.el8.i686.rpm
libsoup-debuginfo-2.62.3-2.el8.x86_64.rpm
libsoup-debugsource-2.62.3-2.el8.i686.rpm
libsoup-debugsource-2.62.3-2.el8.x86_64.rpm
pygobject3-debuginfo-3.28.3-2.el8.x86_64.rpm
pygobject3-debugsource-3.28.3-2.el8.x86_64.rpm
python3-gobject-base-3.28.3-2.el8.x86_64.rpm
python3-gobject-base-debuginfo-3.28.3-2.el8.x86_64.rpm
python3-gobject-debuginfo-3.28.3-2.el8.x86_64.rpm
Red Hat CodeReady Linux Builder (v. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202003-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WebkitGTK+: Multiple vulnerabilities
Date: March 15, 2020
Bugs: #699156, #706374, #709612
ID: 202003-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in WebKitGTK+, the worst of
which may lead to arbitrary code execution.
Background
==========
WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from
hybrid HTML/CSS applications to full-fledged web browsers.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.26.4 >= 2.26.4
Description
===========
Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WebkitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.26.4"
References
==========
[ 1 ] CVE-2019-8625
https://nvd.nist.gov/vuln/detail/CVE-2019-8625
[ 2 ] CVE-2019-8674
https://nvd.nist.gov/vuln/detail/CVE-2019-8674
[ 3 ] CVE-2019-8707
https://nvd.nist.gov/vuln/detail/CVE-2019-8707
[ 4 ] CVE-2019-8710
https://nvd.nist.gov/vuln/detail/CVE-2019-8710
[ 5 ] CVE-2019-8719
https://nvd.nist.gov/vuln/detail/CVE-2019-8719
[ 6 ] CVE-2019-8720
https://nvd.nist.gov/vuln/detail/CVE-2019-8720
[ 7 ] CVE-2019-8726
https://nvd.nist.gov/vuln/detail/CVE-2019-8726
[ 8 ] CVE-2019-8733
https://nvd.nist.gov/vuln/detail/CVE-2019-8733
[ 9 ] CVE-2019-8735
https://nvd.nist.gov/vuln/detail/CVE-2019-8735
[ 10 ] CVE-2019-8743
https://nvd.nist.gov/vuln/detail/CVE-2019-8743
[ 11 ] CVE-2019-8763
https://nvd.nist.gov/vuln/detail/CVE-2019-8763
[ 12 ] CVE-2019-8764
https://nvd.nist.gov/vuln/detail/CVE-2019-8764
[ 13 ] CVE-2019-8765
https://nvd.nist.gov/vuln/detail/CVE-2019-8765
[ 14 ] CVE-2019-8766
https://nvd.nist.gov/vuln/detail/CVE-2019-8766
[ 15 ] CVE-2019-8768
https://nvd.nist.gov/vuln/detail/CVE-2019-8768
[ 16 ] CVE-2019-8769
https://nvd.nist.gov/vuln/detail/CVE-2019-8769
[ 17 ] CVE-2019-8771
https://nvd.nist.gov/vuln/detail/CVE-2019-8771
[ 18 ] CVE-2019-8782
https://nvd.nist.gov/vuln/detail/CVE-2019-8782
[ 19 ] CVE-2019-8783
https://nvd.nist.gov/vuln/detail/CVE-2019-8783
[ 20 ] CVE-2019-8808
https://nvd.nist.gov/vuln/detail/CVE-2019-8808
[ 21 ] CVE-2019-8811
https://nvd.nist.gov/vuln/detail/CVE-2019-8811
[ 22 ] CVE-2019-8812
https://nvd.nist.gov/vuln/detail/CVE-2019-8812
[ 23 ] CVE-2019-8813
https://nvd.nist.gov/vuln/detail/CVE-2019-8813
[ 24 ] CVE-2019-8814
https://nvd.nist.gov/vuln/detail/CVE-2019-8814
[ 25 ] CVE-2019-8815
https://nvd.nist.gov/vuln/detail/CVE-2019-8815
[ 26 ] CVE-2019-8816
https://nvd.nist.gov/vuln/detail/CVE-2019-8816
[ 27 ] CVE-2019-8819
https://nvd.nist.gov/vuln/detail/CVE-2019-8819
[ 28 ] CVE-2019-8820
https://nvd.nist.gov/vuln/detail/CVE-2019-8820
[ 29 ] CVE-2019-8821
https://nvd.nist.gov/vuln/detail/CVE-2019-8821
[ 30 ] CVE-2019-8822
https://nvd.nist.gov/vuln/detail/CVE-2019-8822
[ 31 ] CVE-2019-8823
https://nvd.nist.gov/vuln/detail/CVE-2019-8823
[ 32 ] CVE-2019-8835
https://nvd.nist.gov/vuln/detail/CVE-2019-8835
[ 33 ] CVE-2019-8844
https://nvd.nist.gov/vuln/detail/CVE-2019-8844
[ 34 ] CVE-2019-8846
https://nvd.nist.gov/vuln/detail/CVE-2019-8846
[ 35 ] CVE-2020-3862
https://nvd.nist.gov/vuln/detail/CVE-2020-3862
[ 36 ] CVE-2020-3864
https://nvd.nist.gov/vuln/detail/CVE-2020-3864
[ 37 ] CVE-2020-3865
https://nvd.nist.gov/vuln/detail/CVE-2020-3865
[ 38 ] CVE-2020-3867
https://nvd.nist.gov/vuln/detail/CVE-2020-3867
[ 39 ] CVE-2020-3868
https://nvd.nist.gov/vuln/detail/CVE-2020-3868
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202003-22
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2020 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. Description:
Service Telemetry Framework (STF) provides automated collection of
measurements and data from remote clients, such as Red Hat OpenStack
Platform or third-party nodes.
Dockerfiles and scripts should be amended either to refer to this new image
specifically, or to the latest image generally. Bugs fixed (https://bugzilla.redhat.com/):
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
5 |
|
var-201806-1441
|
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "libxpc" component. It allows attackers to gain privileges via a crafted app that leverages a logic error. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the handling of Mach ports. The issue results from ability to modify ports that are inherited by child processes. An attacker can leverage this vulnerability to execute code under the context of root. Apple iOS, macOS High Sierra, tvOS, and watchOS are all products of Apple Inc. in the United States. Apple iOS is an operating system developed for mobile devices; macOS High Sierra is a dedicated operating system developed for Mac computers; tvOS is a smart TV operating system; watchOS is a smart watch operating system. libxpc is an open source implementation of one of the Apple XPC libraries. The following products and versions are affected: Apple iOS prior to 11.4; macOS High Sierra prior to 10.13.5; tvOS prior to 11.4; watchOS prior to 4.3.1.
CVE-2018-4196: G.
CVE-2018-4253: shrek_wzw of Qihoo 360 Nirvan Team
apache_mod_php
Available for: macOS High Sierra 10.13.4
Impact: Issues in php were addressed in this update
Description: This issue was addressed by updating to php version
7.1.16.
CVE-2018-4219: Mohamed Ghannam (@_simo36)
Bluetooth
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: A malicious application may be able to determine kernel
memory layout.
Description: An information disclosure issue existed in device
properties.
CVE-2018-4171: shrek_wzw of Qihoo 360 Nirvan Team
Bluetooth
Available for: MacBook Pro (Retina, 15-inch, Mid 2015), MacBook Pro
(Retina, 15-inch, 2015), MacBook Pro (Retina, 13-inch, Early 2015),
MacBook Pro (15-inch, 2017), MacBook Pro (15-inch, 2016),
MacBook Pro (13-inch, Late 2016, Two Thunderbolt 3 Ports),
MacBook Pro (13-inch, Late 2016, Four Thunderbolt 3 Ports),
MacBook Pro (13-inch, 2017, Four Thunderbolt 3 Ports),
MacBook (Retina, 12-inch, Early 2016), MacBook
(Retina, 12-inch, Early 2015), MacBook (Retina, 12-inch, 2017),
iMac Pro, iMac (Retina 5K, 27-inch, Late 2015), iMac
(Retina 5K, 27-inch, 2017), iMac (Retina 4K, 21.5-inch, Late 2015),
iMac (Retina 4K, 21.5-inch, 2017), iMac (21.5-inch, Late 2015), and
iMac (21.5-inch, 2017)
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic
Description: An input validation issue existed in Bluetooth.
CVE-2018-4211: Proteas of Qihoo 360 Nirvan Team
Grand Central Dispatch
Available for: macOS High Sierra 10.13.4
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An issue existed in parsing entitlement plists. The issue appears to be from an undocumented
side effect of the instructions. An attacker might utilize this
exception handling to gain access to Ring 0 and access sensitive
memory or control operating system processes.
CVE-2018-4226: Abraham Masri (@cheesecakeufo)
Speech
Available for: macOS High Sierra 10.13.4
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A sandbox issue existed in the handling of microphone
access. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2018-7-23-3 Additional information for
APPLE-SA-2018-06-01-4 iOS 11.4
iOS 11.4 addresses the following:
Bluetooth
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2018-4215: Abraham Masri (@cheesecakeufo)
Bluetooth
Available for: iPhone X, iPhone 8, iPhone 8 Plus,
iPad 6th generation, and iPad Air 2
Not impacted: HomePod
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2018-5383: Lior Neumann and Eli Biham
Entry added July 23, 2018
Contacts
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted vcf file may lead to a
denial of service
Description: A validation issue existed in the handling of phone
numbers. This issue was addressed with improved validation of phone
numbers.
CVE-2018-4100: Abraham Masri (@cheesecakeufo)
FontParser
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2018-4211: Proteas of Qihoo 360 Nirvan Team
iBooks
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker in a privileged network position may be able to
spoof password prompts in iBooks
Description: An input validation issue was addressed with improved
input validation.
CVE-2018-4202: Jerry Decime
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4249: Kevin Backhouse of Semmle Ltd.
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2018-4241: Ian Beer of Google Project Zero
CVE-2018-4243: Ian Beer of Google Project Zero
libxpc
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved validation.
CVE-2018-4237: Samuel GroA (@5aelo) working with Trend Micro's Zero
Day Initiative
Magnifier
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
view the last image used in Magnifier from the lockscreen
Description: A permissions issue existed in Magnifier. This was
addressed with additional permission checks.
CVE-2018-4239: an anonymous researcher
Mail
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker may be able to exfiltrate the contents of
S/MIME-encrypted e-mail
Description: An issue existed in the handling of encrypted Mail. This
issue was addressed with improved isolation of MIME in Mail.
CVE-2018-4227: Damian Poddebniak of MA1/4nster University of Applied
Sciences, Christian Dresen of MA1/4nster University of Applied Sciences,
Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster
University of Applied Sciences, Sebastian Schinzel of MA1/4nster
University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj
Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University
Bochum
Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to conduct impersonation attacks
Description: An injection issue was addressed with improved input
validation.
CVE-2018-4235: Anurodh Pokharel of Salesforce.com
Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted message may lead to a denial
of service
Description: This issue was addressed with improved message
validation.
CVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd
CVE-2018-4250: Metehan YA+-lmaz of Sesim Sarpkaya
Safari
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious website may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4247: FranASSois Renaud, Jesse Viviano of Verizon Enterprise
Solutions
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to read a persistent account
identifier
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4223: Abraham Masri (@cheesecakeufo)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Users may be tracked by malicious websites using client
certificates
Description: An issue existed in the handling of S-MIME
certificaties. This issue was addressed with improved validation of
S-MIME certificates.
CVE-2018-4221: Damian Poddebniak of MA1/4nster University of Applied
Sciences, Christian Dresen of MA1/4nster University of Applied Sciences,
Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster
University of Applied Sciences, Sebastian Schinzel of MA1/4nster
University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj
Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University
Bochum
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to read a persistent device
identifier
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4224: Abraham Masri (@cheesecakeufo)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to modify the state of the Keychain
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4225: Abraham Masri (@cheesecakeufo)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to view sensitive user information
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4226: Abraham Masri (@cheesecakeufo)
Siri
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
enable Siri from the lock screen
Description: An issue existed with Siri permissions. This was
addressed with improved permission checking.
CVE-2018-4238: Baljinder Singh, Muhammad khizer javed, Onur Can
BIKMAZ (@CanBkmaz) of Mustafa Kemal University
Siri
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
use Siri to read notifications of content that is set not to be
displayed at the lock screen
Description: An issue existed with Siri permissions. This was
addressed with improved permission checking.
CVE-2018-4252: Hunter Byrnes, Martin Winkelmann (@Winkelmannnn)
Siri Contacts
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker with physical access to a device may be able to
see private contact information
Description: An issue existed with Siri permissions. This was
addressed with improved permission checking.
CVE-2018-4244: an anonymous researcher
UIKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted text file may lead to a
denial of service
Description: A validation issue existed in the handling of text. This
issue was addressed with improved validation of text.
CVE-2018-4198: Hunter Byrnes
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4201: an anonymous researcher
CVE-2018-4218: Natalie Silvanovich of Google Project Zero
CVE-2018-4233: Samuel GroA (@5aelo) working with Trend Micro's Zero
Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2018-4199: Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils
of MWR Labs working with Trend Micro's Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a maliciously crafted website may lead to cookies
being overwritten
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed with improved restrictions.
CVE-2018-4232: an anonymous researcher, Aymeric Chaib
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A race condition was addressed with improved locking.
CVE-2018-4192: Markus Gaasedelen, Nick Burnett, and Patrick Biernat
of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4214: found by OSS-Fuzz
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working
with Trend Micro's Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2018-4246: found by OSS-Fuzz
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Visiting a maliciously crafted website may leak sensitive
data
Description: Credentials were unexpectedly sent when fetching CSS
mask images. This was addressed by using a CORS-enabled fetch method.
CVE-2018-4190: Jun Kokatsu (@shhnjk)
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2018-4222: Natalie Silvanovich of Google Project Zero
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 11.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltUshMACgkQ8ecVjteJ
iCbspA//aVxu/EdiaNxNRmRDFB8LpqKa3xjJdfkK9cJRYZ+eBHJZjBfzj4BzABuG
Xow7FkEE7LSQpCeJ08Ggo6vVQUdR4+etQ2UfjQWGX6qIvLZUXK0lw2x5XdTP0q4m
WmNoZcdK3cmbVXGMWUZRUrYPTWwMnTMsPpPoDoptaQRseN+K/0kdwsQZtdqeN9sq
GN3Qp6AW6WR1gUAgDriIyzFXTxJ8NmKx2+4B5O2w0TbmzxGa/F5ZUjw4D/wwJJPA
/RXAwseJMghPfbi9tNcjUhbGFfcnr5JvyGfY2GESFc7odWt2XSpePHr6qaJzogBr
KeJKOVpgTdS4PO37+KDUfQDIElSnYQVTff8Tinxg/Zojafp0PxYkDYRxw7i16YKU
HsB7R0o5Yi5YD4uG5ioMj4RspQDWozzveVvvtah6/bWChQQwD3XHr6JRM6oJ106G
wNx2EHfRRXFQCY680RfE8hN/98IJRrCF6nIdO9zBbzGM/Ihzr02F0qSrdB5/PXSq
S6EwJi0M5ia/KMFSO7EY5qQ2aipyDC3WPkvQrHtpsqstMrktyJOYGbm/t39WmIBb
gC92rxvNFr5mO8Owypu1/tloGr15zIxPGR6OXA/DVxdRm2/UmW1tsqQfKgporJMD
de6uiZJb8p8X36KC7YmHLTApYL3CaZebJIIOmf8tKjQUxxbR9wE=
=nII0
-----END PGP SIGNATURE-----
.
Alternatively, on your watch, select "My Watch > General > About" |
|
var-200802-0651
|
modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 does not properly perform certain calculations related to the mColors table, which allows remote attackers to read portions of memory uninitialized via a crafted 8-bit bitmap (BMP) file that triggers an out-of-bounds read within the heap, as demonstrated using a CANVAS element; or cause a denial of service (application crash) via a crafted 8-bit bitmap file that triggers an out-of-bounds read. NOTE: the initial public reports stated that this affected Firefox in Ubuntu 6.06 through 7.10. Firefox and Opera browsers are prone to a vulnerability that can result in information disclosure or a denial of service.
An attacker can exploit this issue to harvest sensitive information that may be used to launch further attacks or to crash the affected application, denying service to legitimate users.
Mozilla Firefox 2.0.0.11 and Opera 9.50 Beta are affected. This vulnerability is related to CVE-2008-0420. The upstream
fixes were incomplete, and after performing certain actions Thunderbird
would crash due to memory errors. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Thunderbird did not properly set the size of a
buffer when parsing an external-body MIME-type. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200805-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla products: Multiple vulnerabilities
Date: May 20, 2008
Bugs: #208128, #214816, #218065
ID: 200805-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Mozilla Firefox,
Thunderbird, SeaMonkey and XULRunner, some of which may allow
user-assisted execution of arbitrary code.
Background
==========
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project. The
SeaMonkey project is a community effort to deliver production-quality
releases of code derived from the application formerly known as the
'Mozilla Application Suite'. XULRunner is a Mozilla runtime package
that can be used to bootstrap XUL+XPCOM applications like Firefox and
Thunderbird.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mozilla-firefox < 2.0.0.14 >= 2.0.0.14
2 mozilla-firefox-bin < 2.0.0.14 >= 2.0.0.14
3 mozilla-thunderbird < 2.0.0.14 >= 2.0.0.14
4 mozilla-thunderbird-bin < 2.0.0.14 >= 2.0.0.14
5 seamonkey < 1.1.9-r1 >= 1.1.9-r1
6 seamonkey-bin < 1.1.9 >= 1.1.9
7 xulrunner < 1.8.1.14 >= 1.8.1.14
-------------------------------------------------------------------
7 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
The following vulnerabilities were reported in all mentioned Mozilla
products:
* Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and
Paul Nickerson reported browser crashes related to JavaScript
methods, possibly triggering memory corruption (CVE-2008-0412).
* Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown,
Philip Taylor, and tgirmann reported crashes in the JavaScript
engine, possibly triggering memory corruption (CVE-2008-0413).
* David Bloom discovered a vulnerability in the way images are
treated by the browser when a user leaves a page, possibly triggering
memory corruption (CVE-2008-0419).
* moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series
of privilege escalation vulnerabilities related to JavaScript
(CVE-2008-1233, CVE-2008-1234, CVE-2008-1235).
* Mozilla developers identified browser crashes caused by the layout
and JavaScript engines, possibly triggering memory corruption
(CVE-2008-1236, CVE-2008-1237).
* moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape
from its sandboxed context and run with chrome privileges, and inject
script content into another site, violating the browser's same origin
policy (CVE-2008-0415).
* Gerry Eisenhaur discovered a directory traversal vulnerability when
using "flat" addons (CVE-2008-0418).
* Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported
multiple character handling flaws related to the backspace character,
the "0x80" character, involving zero-length non-ASCII sequences in
multiple character sets, that could facilitate Cross-Site Scripting
attacks (CVE-2008-0416).
The following vulnerability was reported in Thunderbird and SeaMonkey:
* regenrecht (via iDefense) reported a heap-based buffer overflow
when rendering an email message with an external MIME body
(CVE-2008-0304).
The following vulnerabilities were reported in Firefox, SeaMonkey and
XULRunner:
* The fix for CVE-2008-1237 in Firefox 2.0.0.13 and SeaMonkey 1.1.9
introduced a new crash vulnerability (CVE-2008-1380).
* hong and Gregory Fleischer each reported a variant on earlier
reported bugs regarding focus shifting in file input controls
(CVE-2008-0414).
* Gynvael Coldwind (Vexillium) discovered that BMP images could be
used to reveal uninitialized memory, and that this data could be
extracted using a "canvas" feature (CVE-2008-0420).
* Chris Thomas reported that background tabs could create a
borderless XUL pop-up in front of pages in other tabs
(CVE-2008-1241).
* oo.rio.oo discovered that a plain text file with a
"Content-Disposition: attachment" prevents Firefox from rendering
future plain text files within the browser (CVE-2008-0592).
* Martin Straka reported that the ".href" property of stylesheet DOM
nodes is modified to the final URI of a 302 redirect, bypassing the
same origin policy (CVE-2008-0593).
* Gregory Fleischer discovered that under certain circumstances,
leading characters from the hostname part of the "Referer:" HTTP
header are removed (CVE-2008-1238).
* Peter Brodersen and Alexander Klink reported that the browser
automatically selected and sent a client certificate when SSL Client
Authentication is requested by a server (CVE-2007-4879).
* Gregory Fleischer reported that web content fetched via the "jar:"
protocol was not subject to network access restrictions
(CVE-2008-1240).
The following vulnerabilities were reported in Firefox:
* Justin Dolske discovered a CRLF injection vulnerability when
storing passwords (CVE-2008-0417).
* Michal Zalewski discovered that Firefox does not properly manage a
delay timer used in confirmation dialogs (CVE-2008-0591).
* Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog is not displayed if the entire contents of a web page
are in a DIV tag that uses absolute positioning (CVE-2008-0594).
Impact
======
A remote attacker could entice a user to view a specially crafted web
page or email that will trigger one of the vulnerabilities, possibly
leading to the execution of arbitrary code or a Denial of Service. It
is also possible for an attacker to trick a user to upload arbitrary
files when submitting a form, to corrupt saved passwords for other
sites, to steal login credentials, or to conduct Cross-Site Scripting
and Cross-Site Request Forgery attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask -1 -v ">=www-client/mozilla-firefox-2.0.0.14"
All Mozilla Firefox binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask -1 -v ">=www-client/mozilla-firefox-bin-2.0.0.14"
All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync
# emerge --ask -1 -v ">=mail-client/mozilla-thunderbird-2.0.0.14"
All Mozilla Thunderbird binary users should upgrade to the latest
version:
# emerge --sync
# emerge -a -1 -v ">=mail-client/mozilla-thunderbird-bin-2.0.0.14"
All SeaMonkey users should upgrade to the latest version:
# emerge --sync
# emerge --ask -1 -v ">=www-client/seamonkey-1.1.9-r1"
All SeaMonkey binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask -1 -v ">=www-client/seamonkey-bin-1.1.9"
All XULRunner users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.14"
NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in
the SeaMonkey binary ebuild, as no precompiled packages have been
released. Until an update is available, we recommend all SeaMonkey
users to disable JavaScript, use Firefox for JavaScript-enabled
browsing, or switch to the SeaMonkey source ebuild.
References
==========
[ 1 ] CVE-2007-4879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4879
[ 2 ] CVE-2008-0304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0304
[ 3 ] CVE-2008-0412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
[ 4 ] CVE-2008-0413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0413
[ 5 ] CVE-2008-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0414
[ 6 ] CVE-2008-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0415
[ 7 ] CVE-2008-0416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
[ 8 ] CVE-2008-0417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0417
[ 9 ] CVE-2008-0418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418
[ 10 ] CVE-2008-0419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0419
[ 11 ] CVE-2008-0420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0420
[ 12 ] CVE-2008-0591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0591
[ 13 ] CVE-2008-0592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0592
[ 14 ] CVE-2008-0593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0593
[ 15 ] CVE-2008-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0594
[ 16 ] CVE-2008-1233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233
[ 17 ] CVE-2008-1234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234
[ 18 ] CVE-2008-1235
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235
[ 19 ] CVE-2008-1236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236
[ 20 ] CVE-2008-1237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237
[ 21 ] CVE-2008-1238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
[ 22 ] CVE-2008-1240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
[ 23 ] CVE-2008-1241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
[ 24 ] CVE-2008-1380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200805-18.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ===========================================================
Ubuntu Security Notice USN-576-1 February 08, 2008
firefox vulnerabilities
CVE-2008-0412, CVE-2008-0413, CVE-2008-0414, CVE-2008-0415,
CVE-2008-0416, CVE-2008-0417, CVE-2008-0418, CVE-2008-0419,
CVE-2008-0420, CVE-2008-0591, CVE-2008-0592, CVE-2008-0593,
CVE-2008-0594
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
firefox 1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1
Ubuntu 6.10:
firefox 2.0.0.12+0nobinonly+2-0ubuntu0.6.10
Ubuntu 7.04:
firefox 2.0.0.12+1nobinonly+2-0ubuntu0.7.4
Ubuntu 7.10:
firefox 2.0.0.12+2nobinonly+2-0ubuntu0.7.10
After a standard system upgrade you need to restart firefox to effect
the necessary changes.
Details follow:
Various flaws were discovered in the browser and JavaScript engine.
(CVE-2008-0412, CVE-2008-0413)
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in the JavaScript engine. (CVE-2008-0415)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Justin Dolske discovered a flaw in the password saving mechanism. By
tricking a user into opening a malicious web page, an attacker could
corrupt the user's stored passwords. Under certain circumstances, an
attacker may be able to load files or steal session data. Ubuntu is
not vulnerable in the default installation. A malicious website could exploit this to steal the user's
history information, crash the browser and/or possibly execute
arbitrary code with the user's privileges. (CVE-2008-0419)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Michal Zalewski discovered flaws with timer-enabled security dialogs.
A malicious website could force the user to confirm a security dialog
without explicit consent. (CVE-2008-0592)
Martin Straka discovered flaws in stylesheet handling after a 302
redirect. By tricking a user into opening a malicious web page, an
attacker could obtain sensitive URL parameters. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1.diff.gz
Size/MD5: 178154 2cf6b393f77f5b872ffac9f05901d86e
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1.dsc
Size/MD5: 1792 25c9c6c7c68cd2ffb437ff3c235ccf5b
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080202a.orig.tar.gz
Size/MD5: 48567134 5f38febe80dd0965ea410ac190a99a79
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_all.deb
Size/MD5: 53122 9b8108791fa1acc6a8cd36174d7e004f
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_all.deb
Size/MD5: 52236 39ada1e6aeb7b51289c70c71d0f8031e
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 47575618 166e66c75fe45216b3ed03b2017ad9f9
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 2863920 c4fb4492c9c0d33c5ee1ebaa90822add
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 85508 22e0f29c67b28b7f268d13c47ff21b18
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 9477254 da7188d3d1a255f46d703b7f9f4af558
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 222308 66948fa52f626e2e94c277582dd9b419
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 165292 f14d66384255da7196da5786244d7636
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 247344 915feb3274a401c8cf7a026c6bcef55d
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 824986 ee41c39f0dc78dcb269e2c849d7a959b
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_amd64.deb
Size/MD5: 219314 6ff861dde457e29b7d78cb0b485cc892
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 44132276 7d2488c56e8fc420b7d4b8741842a8d2
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 2863958 3e65d51503bf4220df6523ad788250c0
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 77834 58eaaaa178b0775221215bcbc18eb618
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 7986002 634c8d5dc00d42acac3319a6d8484401
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 222308 84d7212ebc789c76cbe907c1600a77e6
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 149850 9373d8373c10536f85d13a5a176889e3
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 247320 9ae55bba5c7cbe340db54c567fca6158
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 716594 5e6581e7b8f83755ee6182dc522a16d9
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_i386.deb
Size/MD5: 212712 42d4658e91e8dcab0cdc85b0da6ec700
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 48978594 143d1dd5a6ce245fc55c5083749aaecc
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 2864070 9c399a5d23e6338f5d663606a3c1fe6e
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 80948 c11c970fa9e3c95a2c7e28be5978d7ca
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 9097372 a1865d328a9fa56f46ae4fb1bd6757d9
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 222306 76bc431137ce8c72c4d097c15af86785
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 162552 309fd0bb01d24a983e187fe50da1e8ea
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 247346 d6d3ea02f9c3dd500d308215caa50fa8
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 815602 c939dd4eb7d5e514b86fb6756c3258c5
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_powerpc.deb
Size/MD5: 216154 f4f8d3b69f847ddfd238a8fbef952953
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 45531866 273486483a76cc366c7f22d50a8e1585
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 2864002 48d560e88b2a92576e1a4ee592297ce6
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 79414 70c392f787204334116e9ce76f546a46
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 8483442 3562cacfdf57585c037b651be2860162
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 222310 6435f1625def65ad5cb1a9732ae035b4
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 152438 79cc70393fa4b75cac01405f3bdaa830
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 247346 530a4597f2708ddd246845dcd9948eaf
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 727040 f954f2d179c4477caf4ac860dee0a3ee
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1_sparc.deb
Size/MD5: 213662 57bd9a62025696c9ac01aeb2c499004a
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+0nobinonly+2-0ubuntu0.6.10.diff.gz
Size/MD5: 321397 4a12ea7d4aff45a651e7169df59b66d1
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+0nobinonly+2-0ubuntu0.6.10.dsc
Size/MD5: 1880 d07152222f3bbbd54702964e6c484e5c
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+0nobinonly+2.orig.tar.gz
Size/MD5: 44800182 38c678dd75c578424a1c18876dd074c4
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_all.deb
Size/MD5: 238002 ac7bdaa151b30f01a44f46e65c8096d8
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_all.deb
Size/MD5: 56822 b9a0587c020e3e1ff251db1da16a3360
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dom-inspector_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_all.deb
Size/MD5: 56922 736209d00ed7a493ad632a595dc3e23e
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-gnome-support_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_all.deb
Size/MD5: 56934 65a72a74cd45970e0fdea2eacf97a19f
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_all.deb
Size/MD5: 57734 08259cf76e7911a1643f9dd34a5946e0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 50541330 aedaa6323fe786ac93a0361712fe2eef
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 3181304 9de420a7be03b4f2dc7877d51d86641a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 91280 77851caa28f9541474c579b2fcb58de8
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 10459390 b794e9dca1f5985ac8f2de5e3021d04d
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 226904 e1401fba7056cfed7bfb5c402c773223
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 169286 ef4c54634455afec2b88618fee46b330
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 251926 e8596b001554965f3a84a517c7eabdb7
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_amd64.deb
Size/MD5: 873158 3674842461178bb2118cd634d5ab50a5
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 49700122 488b37255f93579b4aa3d091438f0b07
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 3171304 e30a5b8ffac759624c9cec382cf076aa
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 84944 53061af8afe191476af93f7fd822c879
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 9275526 b79a270c10e7b0a53409ee7d2c47a958
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 226916 a70250bb5ca1ee549b8fd855ba0aac8b
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 158884 6b82381a44eb2d3a7fca63772f299cb0
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 251926 1475d73a2829eb9fd9d996b739386152
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_i386.deb
Size/MD5: 795256 e1f9c6278da78da5a15316fcaad8878b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 52219576 c0aca4abff7994ed57feedd4b9fad3c6
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 3178480 51d9d70a821af1b86a0dbe3f1047b695
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 86810 d20daf80fe21dd441e76544d436b5a97
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 10120398 d9da66873e77ae9b151806369ea79999
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 226904 7f5b533329fa758c7119737c3c2932b6
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 167982 cf663fffe8e0cc731518ad9c2b927353
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 251958 af430564abd104b1a0d74c6601f9da21
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_powerpc.deb
Size/MD5: 870874 310fadfe6f3678646ddb0eb6905891ae
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 49730348 02a7529d1ce21e8c80c1eacab37d32e9
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 3167800 8540b1e6b3ed43155da0aabe6e9b9646
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 84614 00db1446c0b00efd811f50d924dd5298
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 9546592 3258e1fbd28f510545f4083d1c4286ca
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 226908 ec859ea978ee4faad18198557bd0b93a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 156870 a08586da831b5189bb86b5613457be8c
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 251942 154e0e0a90641ca61d02229f909c9afe
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+0nobinonly+2-0ubuntu0.6.10_sparc.deb
Size/MD5: 777010 15935c9b003f9246bee54b84150c87c1
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4.diff.gz
Size/MD5: 314990 26d843966dfcd15d09732da370613437
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4.dsc
Size/MD5: 1866 65a8df8593e51c9bd75384019fed4578
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2.orig.tar.gz
Size/MD5: 44800182 be1a3be614b123a5f65ef0631cc3ba57
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_all.deb
Size/MD5: 243402 da8caba52c3c82557d4821d770299ecc
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_all.deb
Size/MD5: 58762 45baf9be97557e8b91d2943ca6ba41e6
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dom-inspector_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_all.deb
Size/MD5: 58856 42d6160c4ce8fdb5bf9a37293aa53b1c
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-gnome-support_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_all.deb
Size/MD5: 58870 9dd7670172ef63a5c95a8e0d0b3b2b96
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_all.deb
Size/MD5: 59670 492308cc265c713ffddb255884c4e504
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 50542618 2ca3b30b33b3b999071a16abf8bcd13c
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 3184070 271fa86786f418711a313712877eea98
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 92594 5143ea4adbda306600aee9af86ce77fe
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 62572 a4e2e6b0064c79138f3b2bfa91ac97d1
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 10471176 175a2d6fa77654b739398a2a9d1d03ac
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 228738 30a1385156baa2a9f24b78c129412f18
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 174270 3849519034a0821095cd70f444507d99
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 253900 7b383ef692d89ab55dae43836b2fdd0a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_amd64.deb
Size/MD5: 880882 8ba385f8afc6037a95707fcb7b23b46d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 49691234 29f617919ad489ca52ee6b81f01c5cbd
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 3174990 188a68b01767bc4cca87d3d25337e017
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 86790 1e73455e05a6171cc71210f322db025f
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 61972 35aeae2f74e57deddf75cc940927b666
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 9276348 4801d027bd0a419209a7192eb6b2e5b0
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 228752 70786d226354b7dfe928f8a627faf0e9
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 163166 9a04fc6540e7b8adf3fb170cadec304d
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 253906 fc119126017f04c5b56c3d6f34afdc72
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_i386.deb
Size/MD5: 802282 348a087da1e50abdcc82ab5e540e9f0b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 52204680 048216fdda7b51cc351f5282152dae0a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 3186926 b6bbe9c19c9f915cff028058a9703485
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 90636 60db1e12e8d6324c854217356713ed9a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 62806 ae3c6db90b09e7343a43bb2d2506776a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 10350504 084e73de7223b081b0a34c4f05cd8e5e
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 228746 a19d7edc4e883b4325a65679a4b53f2b
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 179910 2ed7a05241f477e018235dadeaa0a180
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 253906 2d7306a969e66f7ba62020ec9683c5d2
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_powerpc.deb
Size/MD5: 890490 0611974c638cc23f8bb0e64dd5fb1204
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 49727862 0b04e498c69841fba2fb44c0026b9360
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 3173504 a3e8070e87df04e2e1178793a3c28ebb
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 86486 e4e8c5fa9661d7f2883a64c9c913955a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 62030 b8cba7f28f9ad581adb2952b0cd27778
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 9557480 d914a1f143d06130139ebbaf299a998a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 228734 0b7a1e9e9c4e8e4dd30faa51715b9b3a
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 161968 6d1e3b53500017050fcd6ad5f797a34c
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 253912 e997d59184566bb92afd170e3d6e16ae
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.12+1nobinonly+2-0ubuntu0.7.4_sparc.deb
Size/MD5: 796038 b7db09f4ad1a2271524d745c807eec0e
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+2nobinonly+2-0ubuntu0.7.10.diff.gz
Size/MD5: 192967 f613f26149f995bb2d90897640751c55
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+2nobinonly+2-0ubuntu0.7.10.dsc
Size/MD5: 1831 10cc37e4a7a8b1ef9913c4336e139e34
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+2nobinonly+2.orig.tar.gz
Size/MD5: 34952512 361be132e02f7583555fdb5909138bdf
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_all.deb
Size/MD5: 200720 e85d0d26bbba30c7cf1acd8539d4ce5d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_amd64.deb
Size/MD5: 77918994 5e5b6abb9c51f6f991f1270f9fac5c7b
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_amd64.deb
Size/MD5: 3195186 0ea7fd2d7e532bdc5676988b36643cc7
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_amd64.deb
Size/MD5: 98086 ab6e4e54dfb6700e405f5a4004e5f817
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_amd64.deb
Size/MD5: 67082 ff21fe32334e31142459446bf7f7aad7
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_amd64.deb
Size/MD5: 10442880 36de6e6c9f3f34f5eea1b88abce14c6a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_i386.deb
Size/MD5: 77067198 da3fb93ae70ee78f63495d8ebfe5a356
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_i386.deb
Size/MD5: 3182764 fb3bbf088ecea048f3f163a2ba7aa84d
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_i386.deb
Size/MD5: 91770 4384731b32d52be25ff6e419bf2ec269
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_i386.deb
Size/MD5: 66370 3d301f5fe0766f685ac0cad7766af38b
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_i386.deb
Size/MD5: 9189236 7a8f9a6523ed805b0edb42d9f688fbbc
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_powerpc.deb
Size/MD5: 80531802 0e94eeb3d506799508eb354f7a067b52
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_powerpc.deb
Size/MD5: 3198570 31ca5d436b1510aeb40d98da1e80b6ba
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_powerpc.deb
Size/MD5: 96114 e30b3fc0ee76304c61b36ae059510ba0
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_powerpc.deb
Size/MD5: 67356 6374a01034d982e01e973cd6544f7c5c
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_powerpc.deb
Size/MD5: 10285072 40e7d114d1f2adba2d8be70f40acbfbe
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_sparc.deb
Size/MD5: 77899398 bf815b834944a0a8097c79ae2da6f188
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_sparc.deb
Size/MD5: 3180268 90be06ecf15c876086c03c5910d2e575
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_sparc.deb
Size/MD5: 91548 33215f4ce2e598f29cde37ab518b555e
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_sparc.deb
Size/MD5: 66446 9db9ae28f9b571e27a524f087e8e0f31
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+2nobinonly+2-0ubuntu0.7.10_sparc.deb
Size/MD5: 9436014 697d38db0d9a9d1718fe94aacf3f2abb
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:048
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mozilla-firefox
Date : February 22, 2008
Affected: 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
A number of security vulnerabilities have been discovered and corrected
in the latest Mozilla Firefox program, version 2.0.0.12.
This update provides the latest Firefox to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0594
http://www.mozilla.org/security/announce/2008/mfsa2008-01.html
http://www.mozilla.org/security/announce/2008/mfsa2008-02.html
http://www.mozilla.org/security/announce/2008/mfsa2008-03.html
http://www.mozilla.org/security/announce/2008/mfsa2008-04.html
http://www.mozilla.org/security/announce/2008/mfsa2008-05.html
http://www.mozilla.org/security/announce/2008/mfsa2008-06.html
http://www.mozilla.org/security/announce/2008/mfsa2008-07.html
http://www.mozilla.org/security/announce/2008/mfsa2008-08.html
http://www.mozilla.org/security/announce/2008/mfsa2008-09.html
http://www.mozilla.org/security/announce/2008/mfsa2008-10.html
http://www.mozilla.org/security/announce/2008/mfsa2008-11.html
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.1:
1dc2a51ff44cabe490f34da3faa33c23 2007.1/i586/deskbar-applet-2.18.0-3.6mdv2007.1.i586.rpm
80ddb753b767b007fdcb81a92c0f905b 2007.1/i586/devhelp-0.13-3.6mdv2007.1.i586.rpm
2cad046fa470433fa1e1e3d61a17db64 2007.1/i586/devhelp-plugins-0.13-3.6mdv2007.1.i586.rpm
c77299cbaf51d2c3750463c896a80b1d 2007.1/i586/eclipse-ecj-3.2.2-3.4.4mdv2007.1.i586.rpm
3452bf648a7ac439ae811c4e5fc8a63c 2007.1/i586/eclipse-jdt-3.2.2-3.4.4mdv2007.1.i586.rpm
c52d7efbb414850069093958810d546c 2007.1/i586/eclipse-jdt-sdk-3.2.2-3.4.4mdv2007.1.i586.rpm
9342cf09d7d08ab5f76012ffe9110068 2007.1/i586/eclipse-pde-3.2.2-3.4.4mdv2007.1.i586.rpm
902df90494957eb8cb3dfc65cd79dd3e 2007.1/i586/eclipse-pde-runtime-3.2.2-3.4.4mdv2007.1.i586.rpm
b7921f5695807ed0cbde79f89b022fd6 2007.1/i586/eclipse-pde-sdk-3.2.2-3.4.4mdv2007.1.i586.rpm
e30bda4a05f799ec477adddea26ad2e7 2007.1/i586/eclipse-platform-3.2.2-3.4.4mdv2007.1.i586.rpm
b96010dc64a374151aeedbc08f990939 2007.1/i586/eclipse-platform-sdk-3.2.2-3.4.4mdv2007.1.i586.rpm
7509249502add24a8c879fc07a9045cc 2007.1/i586/eclipse-rcp-3.2.2-3.4.4mdv2007.1.i586.rpm
7b61437abc5b8bcb124d6bffbc00f07c 2007.1/i586/eclipse-rcp-sdk-3.2.2-3.4.4mdv2007.1.i586.rpm
fed3c9c51dfaefaf915f9e7099156d91 2007.1/i586/eclipse-sdk-3.2.2-3.4.4mdv2007.1.i586.rpm
72d3dc507d444eba52b19bd23599ff8e 2007.1/i586/epiphany-2.18.0-5.6mdv2007.1.i586.rpm
c81f9314f3ec6e9d6983f33a3ebd8e94 2007.1/i586/epiphany-devel-2.18.0-5.6mdv2007.1.i586.rpm
92f2517dc7879a37de1c45656c5a3a72 2007.1/i586/epiphany-extensions-2.18.0-2.5mdv2007.1.i586.rpm
d3c955c6add34c6fcf10d96b79d1841a 2007.1/i586/galeon-2.0.3-5.6mdv2007.1.i586.rpm
36f325c6b4ecdc139547e8813f17cd90 2007.1/i586/gnome-python-extras-2.14.3-4.6mdv2007.1.i586.rpm
16d211d490987d4fdfafe820d0e37280 2007.1/i586/gnome-python-gda-2.14.3-4.6mdv2007.1.i586.rpm
784f949debd848dc8b04085d4ed878cb 2007.1/i586/gnome-python-gda-devel-2.14.3-4.6mdv2007.1.i586.rpm
3298cadecd4f531d47c93aaf6c2b61b8 2007.1/i586/gnome-python-gdl-2.14.3-4.6mdv2007.1.i586.rpm
c90b8d88b8516482b9fbb81b962a52e0 2007.1/i586/gnome-python-gksu-2.14.3-4.6mdv2007.1.i586.rpm
aaddc4ccb1380f59a1577d0928950c0d 2007.1/i586/gnome-python-gtkhtml2-2.14.3-4.6mdv2007.1.i586.rpm
31e67c0db16a843c954d18e9040d3924 2007.1/i586/gnome-python-gtkmozembed-2.14.3-4.6mdv2007.1.i586.rpm
fd2a2e1bd9678f78441d7f0388fc50cd 2007.1/i586/gnome-python-gtkspell-2.14.3-4.6mdv2007.1.i586.rpm
2be331921ac0abd4935f2b7e53485558 2007.1/i586/libdevhelp-1_0-0.13-3.6mdv2007.1.i586.rpm
04b8a0a918e5fa4d5d4c9a5ed7ff137f 2007.1/i586/libdevhelp-1_0-devel-0.13-3.6mdv2007.1.i586.rpm
a3782afaa71b91224e3ac035790346f4 2007.1/i586/libmozilla-firefox-devel-2.0.0.12-1.1mdv2007.1.i586.rpm
14cfb1d5f4cf1f065bfca906ff150a4b 2007.1/i586/libmozilla-firefox2.0.0.12-2.0.0.12-1.1mdv2007.1.i586.rpm
c1426c2e93cc901fe35392ff7cb6c685 2007.1/i586/libswt3-gtk2-3.2.2-3.4.4mdv2007.1.i586.rpm
ae1601c5b5f88a7f515284650233983d 2007.1/i586/libtotem-plparser1-2.18.2-1.7mdv2007.1.i586.rpm
c22fc1a859983aa85742e604312f80fa 2007.1/i586/libtotem-plparser1-devel-2.18.2-1.7mdv2007.1.i586.rpm
4eb9fbb0119091748feb9889a3c306a7 2007.1/i586/mozilla-firefox-2.0.0.12-1.1mdv2007.1.i586.rpm
df4485c865ccd7c3242fbe27af182c0d 2007.1/i586/mozilla-firefox-af-2.0.0.12-1mdv2007.1.i586.rpm
3ec20a7b73357ba854ff1cdc1a7cb2b3 2007.1/i586/mozilla-firefox-ar-2.0.0.12-1mdv2007.1.i586.rpm
6fa279489d73c1c4d6a34229d3a153eb 2007.1/i586/mozilla-firefox-be-2.0.0.12-1mdv2007.1.i586.rpm
53bcab0c1e1d67ae7a1a5ac75c5ce494 2007.1/i586/mozilla-firefox-bg-2.0.0.12-1mdv2007.1.i586.rpm
314e0e5ae9425a42b1e439f3396f89f8 2007.1/i586/mozilla-firefox-br_FR-2.0.0.12-1mdv2007.1.i586.rpm
0254a1f48e4ded8678dd112363c29c74 2007.1/i586/mozilla-firefox-ca-2.0.0.12-1mdv2007.1.i586.rpm
e686d9fdd625fc13b3cffa97c5508eb4 2007.1/i586/mozilla-firefox-cs-2.0.0.12-1mdv2007.1.i586.rpm
7ee117f20fe64cadd3e14451719fe7c4 2007.1/i586/mozilla-firefox-da-2.0.0.12-1mdv2007.1.i586.rpm
e7d93e623d8a95f3e6a4e841ecb6dced 2007.1/i586/mozilla-firefox-de-2.0.0.12-1mdv2007.1.i586.rpm
19f90053d81fdc8c1f29f243f042c016 2007.1/i586/mozilla-firefox-el-2.0.0.12-1mdv2007.1.i586.rpm
7ebf410bb0505ca52e0ffb64cd436db1 2007.1/i586/mozilla-firefox-en_GB-2.0.0.12-1mdv2007.1.i586.rpm
c7708420fc247bac083598e09d54abd1 2007.1/i586/mozilla-firefox-es_AR-2.0.0.12-1mdv2007.1.i586.rpm
4bbb4b75f4ce7b2bce3228ee97f83f92 2007.1/i586/mozilla-firefox-es_ES-2.0.0.12-1mdv2007.1.i586.rpm
8a094d00259121d38a34381aef52dc77 2007.1/i586/mozilla-firefox-et_EE-2.0.0.12-1mdv2007.1.i586.rpm
6d7633f405a110a436fe06811a8e2b28 2007.1/i586/mozilla-firefox-eu-2.0.0.12-1mdv2007.1.i586.rpm
00277d0faba3c092d074726f23b479ce 2007.1/i586/mozilla-firefox-fi-2.0.0.12-1mdv2007.1.i586.rpm
a6a7478985d1feb54502161b7bf61de3 2007.1/i586/mozilla-firefox-fr-2.0.0.12-1mdv2007.1.i586.rpm
33fc849c8b3300eb2d93b74e0a21fe9a 2007.1/i586/mozilla-firefox-fy-2.0.0.12-1mdv2007.1.i586.rpm
aeae2cbbc738a25a1024bdd0fa4b3ab3 2007.1/i586/mozilla-firefox-ga-2.0.0.12-1mdv2007.1.i586.rpm
cc28a619f49f76efbb86f80f603078a6 2007.1/i586/mozilla-firefox-gu_IN-2.0.0.12-1mdv2007.1.i586.rpm
9de2102b85eeb76f490abd37c391190a 2007.1/i586/mozilla-firefox-he-2.0.0.12-1mdv2007.1.i586.rpm
e85f6cdb1a60b5a3de9ca2b562660db4 2007.1/i586/mozilla-firefox-hu-2.0.0.12-1mdv2007.1.i586.rpm
3e3c83e797cdbaace62aa33cd55a37ca 2007.1/i586/mozilla-firefox-it-2.0.0.12-1mdv2007.1.i586.rpm
a5a3cc4cf13557ba72885fa57a3ccfa8 2007.1/i586/mozilla-firefox-ja-2.0.0.12-1mdv2007.1.i586.rpm
d39b98fead3b78e7e2f6b03855421bf0 2007.1/i586/mozilla-firefox-ka-2.0.0.12-1mdv2007.1.i586.rpm
1e22b2f9d416fe38a09c5c58ac694b54 2007.1/i586/mozilla-firefox-ko-2.0.0.12-1mdv2007.1.i586.rpm
5c390f65e4992c416fe7ba2719fee970 2007.1/i586/mozilla-firefox-ku-2.0.0.12-1mdv2007.1.i586.rpm
cf66aee1be149bb504491f8a0640f3c1 2007.1/i586/mozilla-firefox-lt-2.0.0.12-1mdv2007.1.i586.rpm
3b347807ab3cfc861833ae72932b7c47 2007.1/i586/mozilla-firefox-mk-2.0.0.12-1mdv2007.1.i586.rpm
d300ac9b315aa0f8ba351e9599871d85 2007.1/i586/mozilla-firefox-mn-2.0.0.12-1mdv2007.1.i586.rpm
5a94beccbed4dbfaaa911e00f75f4ae0 2007.1/i586/mozilla-firefox-nb_NO-2.0.0.12-1mdv2007.1.i586.rpm
6b7f3de774ca6aaec82dd2d4d8898a65 2007.1/i586/mozilla-firefox-nl-2.0.0.12-1mdv2007.1.i586.rpm
3d9f959c201905dd349e5d7df9613fe9 2007.1/i586/mozilla-firefox-nn_NO-2.0.0.12-1mdv2007.1.i586.rpm
d0e6271d86772a36bbeb86d902f186ec 2007.1/i586/mozilla-firefox-pa_IN-2.0.0.12-1mdv2007.1.i586.rpm
1654c8644d33ddfad6877bcc07c7df6e 2007.1/i586/mozilla-firefox-pl-2.0.0.12-1mdv2007.1.i586.rpm
2915c604f7179029fcf46bb7110af6e3 2007.1/i586/mozilla-firefox-pt_BR-2.0.0.12-1mdv2007.1.i586.rpm
70a326e01d4b7dcdcf2098f83d003ea4 2007.1/i586/mozilla-firefox-pt_PT-2.0.0.12-1mdv2007.1.i586.rpm
7c43e07b436e083ba15123c2cd3aa70a 2007.1/i586/mozilla-firefox-ro-2.0.0.12-1mdv2007.1.i586.rpm
d0f26cad526ba1c6e7ac41dbbb34f727 2007.1/i586/mozilla-firefox-ru-2.0.0.12-1mdv2007.1.i586.rpm
0a39286f36e0b5688a293c06de29d8d9 2007.1/i586/mozilla-firefox-sk-2.0.0.12-1mdv2007.1.i586.rpm
2e4dfeab9aa0649f12787519119da6e2 2007.1/i586/mozilla-firefox-sl-2.0.0.12-1mdv2007.1.i586.rpm
c0224a7f560da293f8825d08a5a3ddae 2007.1/i586/mozilla-firefox-sv_SE-2.0.0.12-1mdv2007.1.i586.rpm
39c1a65a74784d086b7756f523a3761e 2007.1/i586/mozilla-firefox-tr-2.0.0.12-1mdv2007.1.i586.rpm
3fb92f19448371ff7b26734df8e46370 2007.1/i586/mozilla-firefox-uk-2.0.0.12-1mdv2007.1.i586.rpm
7e562d06f2fff28067f1cd15f5733af2 2007.1/i586/mozilla-firefox-zh_CN-2.0.0.12-1mdv2007.1.i586.rpm
3098f92ec1c67b2e170fd4ff1730388a 2007.1/i586/mozilla-firefox-zh_TW-2.0.0.12-1mdv2007.1.i586.rpm
1bb36cf0ce6f55517a3473366c494087 2007.1/i586/totem-2.18.2-1.7mdv2007.1.i586.rpm
3be505bd7ca427a7012d496724e94b52 2007.1/i586/totem-common-2.18.2-1.7mdv2007.1.i586.rpm
ae1f2d358274545d78288c02943d68d2 2007.1/i586/totem-gstreamer-2.18.2-1.7mdv2007.1.i586.rpm
a5a82195f23ea5b2adc90368cd7ca1c4 2007.1/i586/totem-mozilla-2.18.2-1.7mdv2007.1.i586.rpm
6eea23a51e4b6c6167d160fd6a283e80 2007.1/i586/totem-mozilla-gstreamer-2.18.2-1.7mdv2007.1.i586.rpm
70b76b7eb83ca3c44b885ebbf545a9e7 2007.1/i586/yelp-2.18.0-3.6mdv2007.1.i586.rpm
22d9b3b7e5698b47fccc3a6357fec6e4 2007.1/SRPMS/deskbar-applet-2.18.0-3.6mdv2007.1.src.rpm
3cf093179a5d711a1532960931d4c069 2007.1/SRPMS/devhelp-0.13-3.6mdv2007.1.src.rpm
824c26cd3bf015fa907e8c870b083297 2007.1/SRPMS/eclipse-3.2.2-3.4.4mdv2007.1.src.rpm
9c3cec104d4eda89c867added6371874 2007.1/SRPMS/epiphany-2.18.0-5.6mdv2007.1.src.rpm
1b6f481d3645ae3d5cb5765a7c456d2a 2007.1/SRPMS/epiphany-extensions-2.18.0-2.5mdv2007.1.src.rpm
759216aff8dc1d14d5de891bc7745d6f 2007.1/SRPMS/galeon-2.0.3-5.6mdv2007.1.src.rpm
3304dc108695e6197e6b30ee03a51a09 2007.1/SRPMS/gnome-python-extras-2.14.3-4.6mdv2007.1.src.rpm
478ad85c7863af6629ac7234debdfbfa 2007.1/SRPMS/mozilla-firefox-2.0.0.12-1.1mdv2007.1.src.rpm
bd76471a2d41c2578b18939415e03b8e 2007.1/SRPMS/mozilla-firefox-l10n-2.0.0.12-1mdv2007.1.src.rpm
9747016f17a8f616419f1b7c4e49dc1f 2007.1/SRPMS/totem-2.18.2-1.7mdv2007.1.src.rpm
f1d428e2757775ec76d83f3be78e6717 2007.1/SRPMS/yelp-2.18.0-3.6mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
691e999c390c5cf9eb7cfa9f7cb36924 2007.1/x86_64/deskbar-applet-2.18.0-3.6mdv2007.1.x86_64.rpm
caa9f1692901e91890216f893c269ff3 2007.1/x86_64/devhelp-0.13-3.6mdv2007.1.x86_64.rpm
05550c4ecdcdf3ae7d888bc0d194a56d 2007.1/x86_64/devhelp-plugins-0.13-3.6mdv2007.1.x86_64.rpm
153b61edcf077ebdfe1f6386bce919d4 2007.1/x86_64/eclipse-ecj-3.2.2-3.4.4mdv2007.1.x86_64.rpm
1ab1d18860b8f590f50f86b0d0fdb681 2007.1/x86_64/eclipse-jdt-3.2.2-3.4.4mdv2007.1.x86_64.rpm
7f59734a966380ae07ee9e120c756d8c 2007.1/x86_64/eclipse-jdt-sdk-3.2.2-3.4.4mdv2007.1.x86_64.rpm
1d0a61206b3302cb3cfe605d61ab7d40 2007.1/x86_64/eclipse-pde-3.2.2-3.4.4mdv2007.1.x86_64.rpm
bb9ba6e6dec65f143c40490f3481570d 2007.1/x86_64/eclipse-pde-runtime-3.2.2-3.4.4mdv2007.1.x86_64.rpm
18c9205dc80f71951461c58379409e71 2007.1/x86_64/eclipse-pde-sdk-3.2.2-3.4.4mdv2007.1.x86_64.rpm
6feda46822a9638d68e0de48c9f29047 2007.1/x86_64/eclipse-platform-3.2.2-3.4.4mdv2007.1.x86_64.rpm
1c32336de45e3ce2ba59af7636cb9fd3 2007.1/x86_64/eclipse-platform-sdk-3.2.2-3.4.4mdv2007.1.x86_64.rpm
d05a8a18748ad28155eb7ae936d2c015 2007.1/x86_64/eclipse-rcp-3.2.2-3.4.4mdv2007.1.x86_64.rpm
8667c57ea4479c6644d1ec77d03f6cc6 2007.1/x86_64/eclipse-rcp-sdk-3.2.2-3.4.4mdv2007.1.x86_64.rpm
cf8bc4f82183b304e20958115202fee5 2007.1/x86_64/eclipse-sdk-3.2.2-3.4.4mdv2007.1.x86_64.rpm
eee890a0b8e76f6509553c9879ac7ecb 2007.1/x86_64/epiphany-2.18.0-5.6mdv2007.1.x86_64.rpm
2dde2d8ddd4c287934b165c4a7119e7f 2007.1/x86_64/epiphany-devel-2.18.0-5.6mdv2007.1.x86_64.rpm
061ec1797d29f4e37ee64cc2826fc39d 2007.1/x86_64/epiphany-extensions-2.18.0-2.5mdv2007.1.x86_64.rpm
bcbaf29656b30c1dcd3fa6d1dc515816 2007.1/x86_64/galeon-2.0.3-5.6mdv2007.1.x86_64.rpm
6ab0f8d7437d253249befd970638e2c7 2007.1/x86_64/gnome-python-extras-2.14.3-4.6mdv2007.1.x86_64.rpm
4397d9794afae4426228e3e8b727f0d5 2007.1/x86_64/gnome-python-gda-2.14.3-4.6mdv2007.1.x86_64.rpm
d44dc156c11bd6da8865f2844e1e8a7d 2007.1/x86_64/gnome-python-gda-devel-2.14.3-4.6mdv2007.1.x86_64.rpm
80e48e7b6320ddd111b3d61f1d55982d 2007.1/x86_64/gnome-python-gdl-2.14.3-4.6mdv2007.1.x86_64.rpm
2273f742d50b47c2554a66d86650b009 2007.1/x86_64/gnome-python-gksu-2.14.3-4.6mdv2007.1.x86_64.rpm
54263146b6cc46aec4a9430fda19b612 2007.1/x86_64/gnome-python-gtkhtml2-2.14.3-4.6mdv2007.1.x86_64.rpm
fa6ad140bec40b0682771394682109c3 2007.1/x86_64/gnome-python-gtkmozembed-2.14.3-4.6mdv2007.1.x86_64.rpm
30bb203d5086759c5f9f1c6f9b6f0dc2 2007.1/x86_64/gnome-python-gtkspell-2.14.3-4.6mdv2007.1.x86_64.rpm
92485911c16bcb95a571558f3622bfd4 2007.1/x86_64/lib64devhelp-1_0-0.13-3.6mdv2007.1.x86_64.rpm
426e40e910923b6c03462d095f1bb94c 2007.1/x86_64/lib64devhelp-1_0-devel-0.13-3.6mdv2007.1.x86_64.rpm
797a51d03672c1eb95bc2d55bd807488 2007.1/x86_64/lib64mozilla-firefox-devel-2.0.0.12-1.1mdv2007.1.x86_64.rpm
414dba6c0d00a4d43437c59f2a8d90f1 2007.1/x86_64/lib64mozilla-firefox2.0.0.12-2.0.0.12-1.1mdv2007.1.x86_64.rpm
e26d4695678e9f68ca749593a1b66f1b 2007.1/x86_64/lib64totem-plparser1-2.18.2-1.7mdv2007.1.x86_64.rpm
8624b056389ff1fe9f33a64cff081e26 2007.1/x86_64/lib64totem-plparser1-devel-2.18.2-1.7mdv2007.1.x86_64.rpm
644e3bd650625950e6b3310b457d5833 2007.1/x86_64/libswt3-gtk2-3.2.2-3.4.4mdv2007.1.x86_64.rpm
a394cb43cf1289cd37f50ec5127a8590 2007.1/x86_64/mozilla-firefox-2.0.0.12-1.1mdv2007.1.x86_64.rpm
c74672f4d61902a3ce298c7f866c52e9 2007.1/x86_64/mozilla-firefox-af-2.0.0.12-1mdv2007.1.x86_64.rpm
12ee1223b0e97842108fe817fe458053 2007.1/x86_64/mozilla-firefox-ar-2.0.0.12-1mdv2007.1.x86_64.rpm
3942350467f9d5799eade58164a34a4e 2007.1/x86_64/mozilla-firefox-be-2.0.0.12-1mdv2007.1.x86_64.rpm
3413e28dec7ed97eee32fb74d6188548 2007.1/x86_64/mozilla-firefox-bg-2.0.0.12-1mdv2007.1.x86_64.rpm
ebd359e9a0af27364e8e4405868a3b3b 2007.1/x86_64/mozilla-firefox-br_FR-2.0.0.12-1mdv2007.1.x86_64.rpm
a08ea8ae48ccb304988a23a561e29e60 2007.1/x86_64/mozilla-firefox-ca-2.0.0.12-1mdv2007.1.x86_64.rpm
147188b2d31441d61466d8c91a9a9462 2007.1/x86_64/mozilla-firefox-cs-2.0.0.12-1mdv2007.1.x86_64.rpm
202afdddc582f8d1f5d94c0aaa0197fd 2007.1/x86_64/mozilla-firefox-da-2.0.0.12-1mdv2007.1.x86_64.rpm
0f3b150c43264b7e3c0c136296390039 2007.1/x86_64/mozilla-firefox-de-2.0.0.12-1mdv2007.1.x86_64.rpm
89e515ffe77b69719efec99a589ce5c1 2007.1/x86_64/mozilla-firefox-el-2.0.0.12-1mdv2007.1.x86_64.rpm
76a281bbd0d3428ebfd593c7eb9f679d 2007.1/x86_64/mozilla-firefox-en_GB-2.0.0.12-1mdv2007.1.x86_64.rpm
e6ac662a04be6997f7d4dbabefe18927 2007.1/x86_64/mozilla-firefox-es_AR-2.0.0.12-1mdv2007.1.x86_64.rpm
8de715af8d0e56385170c247d98ea630 2007.1/x86_64/mozilla-firefox-es_ES-2.0.0.12-1mdv2007.1.x86_64.rpm
abc53ce2f60b1340d1195df5933e7f27 2007.1/x86_64/mozilla-firefox-et_EE-2.0.0.12-1mdv2007.1.x86_64.rpm
8252457050a0027280c413e0105f5853 2007.1/x86_64/mozilla-firefox-eu-2.0.0.12-1mdv2007.1.x86_64.rpm
0465a7b839901eddf832606d39f68be3 2007.1/x86_64/mozilla-firefox-fi-2.0.0.12-1mdv2007.1.x86_64.rpm
9021350fcc01ade20d8ab9b0933959b9 2007.1/x86_64/mozilla-firefox-fr-2.0.0.12-1mdv2007.1.x86_64.rpm
d6a7795dcce490cac731e59989987b30 2007.1/x86_64/mozilla-firefox-fy-2.0.0.12-1mdv2007.1.x86_64.rpm
4c060eb74bc1d46ac492ae671c5507bd 2007.1/x86_64/mozilla-firefox-ga-2.0.0.12-1mdv2007.1.x86_64.rpm
62844d52a90dc6a9c28a454df93e0582 2007.1/x86_64/mozilla-firefox-gu_IN-2.0.0.12-1mdv2007.1.x86_64.rpm
9120e7c5436e0d729dd302f96c979967 2007.1/x86_64/mozilla-firefox-he-2.0.0.12-1mdv2007.1.x86_64.rpm
337d8a3ddc147972b8137d25dd884c37 2007.1/x86_64/mozilla-firefox-hu-2.0.0.12-1mdv2007.1.x86_64.rpm
3c93704f70f2b328228c773f57f94275 2007.1/x86_64/mozilla-firefox-it-2.0.0.12-1mdv2007.1.x86_64.rpm
ccc3536e636482c5cc78b9fd255b7f46 2007.1/x86_64/mozilla-firefox-ja-2.0.0.12-1mdv2007.1.x86_64.rpm
5a5e4c41bd5069a93a535664255d452d 2007.1/x86_64/mozilla-firefox-ka-2.0.0.12-1mdv2007.1.x86_64.rpm
45a443556cb2e1bf89ba8400b9853ed6 2007.1/x86_64/mozilla-firefox-ko-2.0.0.12-1mdv2007.1.x86_64.rpm
6b8837513ae819d26f5dfe8b965f2e64 2007.1/x86_64/mozilla-firefox-ku-2.0.0.12-1mdv2007.1.x86_64.rpm
b8f56a62ca7c5148e046915b7b06f3dd 2007.1/x86_64/mozilla-firefox-lt-2.0.0.12-1mdv2007.1.x86_64.rpm
3dc8413b89cc07e3a28e954bddf76a6d 2007.1/x86_64/mozilla-firefox-mk-2.0.0.12-1mdv2007.1.x86_64.rpm
4b16b86e7c13acfbe81a23f1075b8c79 2007.1/x86_64/mozilla-firefox-mn-2.0.0.12-1mdv2007.1.x86_64.rpm
95c62278ac3eb8ec53302f9b07622358 2007.1/x86_64/mozilla-firefox-nb_NO-2.0.0.12-1mdv2007.1.x86_64.rpm
61f0aeb307a99a9dcd14505a4c37bcee 2007.1/x86_64/mozilla-firefox-nl-2.0.0.12-1mdv2007.1.x86_64.rpm
974cc15e998b6a0da384f7da17795041 2007.1/x86_64/mozilla-firefox-nn_NO-2.0.0.12-1mdv2007.1.x86_64.rpm
15ba737cf9ced004ce71550ab3d9876b 2007.1/x86_64/mozilla-firefox-pa_IN-2.0.0.12-1mdv2007.1.x86_64.rpm
664f9a441cd31d92783ddc48e537ce4e 2007.1/x86_64/mozilla-firefox-pl-2.0.0.12-1mdv2007.1.x86_64.rpm
d839b414d813ff733637121d5dfc9597 2007.1/x86_64/mozilla-firefox-pt_BR-2.0.0.12-1mdv2007.1.x86_64.rpm
cc322abde304375cb3593656f439dd4a 2007.1/x86_64/mozilla-firefox-pt_PT-2.0.0.12-1mdv2007.1.x86_64.rpm
03ee8f92667603edc0dfbd3d25d98a91 2007.1/x86_64/mozilla-firefox-ro-2.0.0.12-1mdv2007.1.x86_64.rpm
f0d1391e46f5ba33ae6b46f96afcbb62 2007.1/x86_64/mozilla-firefox-ru-2.0.0.12-1mdv2007.1.x86_64.rpm
2373c8b353b75a989409c95c8a3376b0 2007.1/x86_64/mozilla-firefox-sk-2.0.0.12-1mdv2007.1.x86_64.rpm
5a4e7d321490dbdae8f0d1c391033cf4 2007.1/x86_64/mozilla-firefox-sl-2.0.0.12-1mdv2007.1.x86_64.rpm
6e30e25e08cd23fa9783800aaeb17d38 2007.1/x86_64/mozilla-firefox-sv_SE-2.0.0.12-1mdv2007.1.x86_64.rpm
47f3e27f3e000924f81404f3cda222cc 2007.1/x86_64/mozilla-firefox-tr-2.0.0.12-1mdv2007.1.x86_64.rpm
2e843cc9a0ad5527f097840b3482e93d 2007.1/x86_64/mozilla-firefox-uk-2.0.0.12-1mdv2007.1.x86_64.rpm
d6d560ef65a33e06222417ca0f25a69d 2007.1/x86_64/mozilla-firefox-zh_CN-2.0.0.12-1mdv2007.1.x86_64.rpm
6f023284f94e59d9a3a555147423c2fa 2007.1/x86_64/mozilla-firefox-zh_TW-2.0.0.12-1mdv2007.1.x86_64.rpm
9c244429f79868294786d3edb88b630d 2007.1/x86_64/totem-2.18.2-1.7mdv2007.1.x86_64.rpm
0839e08ff2af223b6ba3d80670af7961 2007.1/x86_64/totem-common-2.18.2-1.7mdv2007.1.x86_64.rpm
de037eb59adf51a7d8dafbe1b65f01cd 2007.1/x86_64/totem-gstreamer-2.18.2-1.7mdv2007.1.x86_64.rpm
968247765ff758ddd93d38020604957d 2007.1/x86_64/totem-mozilla-2.18.2-1.7mdv2007.1.x86_64.rpm
40d3cb387ecf9f50e549065690b6577f 2007.1/x86_64/totem-mozilla-gstreamer-2.18.2-1.7mdv2007.1.x86_64.rpm
2b5ffacf78cf59f0d5bcd748c6cfc3b9 2007.1/x86_64/yelp-2.18.0-3.6mdv2007.1.x86_64.rpm
22d9b3b7e5698b47fccc3a6357fec6e4 2007.1/SRPMS/deskbar-applet-2.18.0-3.6mdv2007.1.src.rpm
3cf093179a5d711a1532960931d4c069 2007.1/SRPMS/devhelp-0.13-3.6mdv2007.1.src.rpm
824c26cd3bf015fa907e8c870b083297 2007.1/SRPMS/eclipse-3.2.2-3.4.4mdv2007.1.src.rpm
9c3cec104d4eda89c867added6371874 2007.1/SRPMS/epiphany-2.18.0-5.6mdv2007.1.src.rpm
1b6f481d3645ae3d5cb5765a7c456d2a 2007.1/SRPMS/epiphany-extensions-2.18.0-2.5mdv2007.1.src.rpm
759216aff8dc1d14d5de891bc7745d6f 2007.1/SRPMS/galeon-2.0.3-5.6mdv2007.1.src.rpm
3304dc108695e6197e6b30ee03a51a09 2007.1/SRPMS/gnome-python-extras-2.14.3-4.6mdv2007.1.src.rpm
478ad85c7863af6629ac7234debdfbfa 2007.1/SRPMS/mozilla-firefox-2.0.0.12-1.1mdv2007.1.src.rpm
bd76471a2d41c2578b18939415e03b8e 2007.1/SRPMS/mozilla-firefox-l10n-2.0.0.12-1mdv2007.1.src.rpm
9747016f17a8f616419f1b7c4e49dc1f 2007.1/SRPMS/totem-2.18.2-1.7mdv2007.1.src.rpm
f1d428e2757775ec76d83f3be78e6717 2007.1/SRPMS/yelp-2.18.0-3.6mdv2007.1.src.rpm
Mandriva Linux 2008.0:
b9ed3ce884f9bdc1bbc2ca45a69b49e9 2008.0/i586/devhelp-0.16-1.3mdv2008.0.i586.rpm
ed2da3bc8550f42d071afe5cd5dcb626 2008.0/i586/devhelp-plugins-0.16-1.3mdv2008.0.i586.rpm
278b937377cab903ac69490711a8b928 2008.0/i586/eclipse-cvs-client-3.3.0-0.20.8.3mdv2008.0.i586.rpm
22d6fc428c6c1439da9b193de7f8bc13 2008.0/i586/eclipse-ecj-3.3.0-0.20.8.3mdv2008.0.i586.rpm
4cbee48cb9289a3275010e378c2156f5 2008.0/i586/eclipse-jdt-3.3.0-0.20.8.3mdv2008.0.i586.rpm
1d1d9fc56fbdf18e78c6ff5db0238758 2008.0/i586/eclipse-pde-3.3.0-0.20.8.3mdv2008.0.i586.rpm
5307ccd1f83a046923b488b2f939152c 2008.0/i586/eclipse-pde-runtime-3.3.0-0.20.8.3mdv2008.0.i586.rpm
f7ec4b95c23f2b879ac5c1d807076429 2008.0/i586/eclipse-platform-3.3.0-0.20.8.3mdv2008.0.i586.rpm
6c03f1c0a1282323c29ecdd41124ec69 2008.0/i586/eclipse-rcp-3.3.0-0.20.8.3mdv2008.0.i586.rpm
298103c5cd25124cf033dc4306c9c9f5 2008.0/i586/epiphany-2.20.0-1.3mdv2008.0.i586.rpm
62dffadf7d2352111917c4c344aaba65 2008.0/i586/epiphany-devel-2.20.0-1.3mdv2008.0.i586.rpm
2f24d71af446fb3368c06791f0df09d0 2008.0/i586/galeon-2.0.3-7.3mdv2008.0.i586.rpm
e722fe502740262bfd86f1d56baad8b4 2008.0/i586/gnome-python-extras-2.19.1-4.3mdv2008.0.i586.rpm
7fa422ad5d8fc5a22f18e1344de6a52e 2008.0/i586/gnome-python-gda-2.19.1-4.3mdv2008.0.i586.rpm
01b3b75cd0f61b6cede729ad0ce7049e 2008.0/i586/gnome-python-gda-devel-2.19.1-4.3mdv2008.0.i586.rpm
b027bdacb4c54794a39941ed57eae603 2008.0/i586/gnome-python-gdl-2.19.1-4.3mdv2008.0.i586.rpm
f03b3364360771482c3787e07eec7cb1 2008.0/i586/gnome-python-gksu-2.19.1-4.3mdv2008.0.i586.rpm
61b7e3bf96718d1b3f69c7975aa50304 2008.0/i586/gnome-python-gtkhtml2-2.19.1-4.3mdv2008.0.i586.rpm
1b3e7d7f72f8e6c7538ff1dc64f26e8c 2008.0/i586/gnome-python-gtkmozembed-2.19.1-4.3mdv2008.0.i586.rpm
d02af7b90406fac43092c2081680d710 2008.0/i586/gnome-python-gtkspell-2.19.1-4.3mdv2008.0.i586.rpm
4ccf8f36d0458a428e9fb2345e94cfc2 2008.0/i586/libdevhelp-1-devel-0.16-1.3mdv2008.0.i586.rpm
d02dc201a45281fcd871f84daa80564f 2008.0/i586/libdevhelp-1_0-0.16-1.3mdv2008.0.i586.rpm
4a6927720465de3b79a3497f2a578c2b 2008.0/i586/libmozilla-firefox-devel-2.0.0.12-1.1mdv2008.0.i586.rpm
844ea6862f575229557ce2f8a058432b 2008.0/i586/libmozilla-firefox2.0.0.12-2.0.0.12-1.1mdv2008.0.i586.rpm
f450a3638c675dc92ff2ef0a685d11ee 2008.0/i586/libswt3-gtk2-3.3.0-0.20.8.3mdv2008.0.i586.rpm
445b0e3b0a8d3a078307938e72e2b78d 2008.0/i586/libtotem-plparser-devel-2.20.1-1.2mdv2008.0.i586.rpm
3a3c057314238103a36115fa71bb637f 2008.0/i586/libtotem-plparser7-2.20.1-1.2mdv2008.0.i586.rpm
d56467de0ac9ea808080b0605909366e 2008.0/i586/mozilla-firefox-2.0.0.12-1.1mdv2008.0.i586.rpm
0711c8212df759437a176f8525560e6e 2008.0/i586/mozilla-firefox-af-2.0.0.12-1mdv2008.0.i586.rpm
15f1e548b0d2198742f4d358ad796a42 2008.0/i586/mozilla-firefox-ar-2.0.0.12-1mdv2008.0.i586.rpm
82fa5aea23785a60616c68a8ef7e5932 2008.0/i586/mozilla-firefox-be-2.0.0.12-1mdv2008.0.i586.rpm
96385f21854f261d354406257ae25362 2008.0/i586/mozilla-firefox-bg-2.0.0.12-1mdv2008.0.i586.rpm
a148aa83b35eb670fedf19c80c0876a3 2008.0/i586/mozilla-firefox-br_FR-2.0.0.12-1mdv2008.0.i586.rpm
ddb1086ba8de9dcea6fa3e561a2a7310 2008.0/i586/mozilla-firefox-ca-2.0.0.12-1mdv2008.0.i586.rpm
2023098fa5017553eddd2d780acc096f 2008.0/i586/mozilla-firefox-cs-2.0.0.12-1mdv2008.0.i586.rpm
60dab666392dc1b2e0ae9ba3d4be008b 2008.0/i586/mozilla-firefox-da-2.0.0.12-1mdv2008.0.i586.rpm
b12a81d439f33c9f7b247e91500b2146 2008.0/i586/mozilla-firefox-de-2.0.0.12-1mdv2008.0.i586.rpm
e41c11cf94981c0b7b3df390da495bc0 2008.0/i586/mozilla-firefox-el-2.0.0.12-1mdv2008.0.i586.rpm
569922ef1cf787bb1a695a63775d1389 2008.0/i586/mozilla-firefox-en_GB-2.0.0.12-1mdv2008.0.i586.rpm
c5efdffee339eaf9d34bace8942888b4 2008.0/i586/mozilla-firefox-es_AR-2.0.0.12-1mdv2008.0.i586.rpm
d151770d576f08c9204b13b3ea1559d9 2008.0/i586/mozilla-firefox-es_ES-2.0.0.12-1mdv2008.0.i586.rpm
946886a35d058f30de178938496ebe96 2008.0/i586/mozilla-firefox-et_EE-2.0.0.12-1mdv2008.0.i586.rpm
949d8575e900c1df357f2e9eef7a32ca 2008.0/i586/mozilla-firefox-eu-2.0.0.12-1mdv2008.0.i586.rpm
6f06703f8ee7d7ebfaa951eb9b935397 2008.0/i586/mozilla-firefox-ext-blogrovr-1.1.771-1.1mdv2008.0.i586.rpm
1a67631467fd5cdcd1fd63cd55807c0c 2008.0/i586/mozilla-firefox-ext-foxmarks-2.0.43-1mdv2008.0.i586.rpm
145d0c6bf0e6d5bacbdf63471844d3a7 2008.0/i586/mozilla-firefox-ext-scribefire-1.4.2-4.1mdv2008.0.i586.rpm
2e24c0bf13b81aef0524988a48c86c85 2008.0/i586/mozilla-firefox-fi-2.0.0.12-1mdv2008.0.i586.rpm
bf859aba5985cd4f8de5d77097ce27ab 2008.0/i586/mozilla-firefox-fr-2.0.0.12-1mdv2008.0.i586.rpm
1e419bb831898aa7f7f280b101e33163 2008.0/i586/mozilla-firefox-fy-2.0.0.12-1mdv2008.0.i586.rpm
7e6411d52ce2a968274410514ca319d3 2008.0/i586/mozilla-firefox-ga-2.0.0.12-1mdv2008.0.i586.rpm
60cb492b459d4fc3fc076b8ac90013e8 2008.0/i586/mozilla-firefox-gnome-support-2.0.0.12-1.1mdv2008.0.i586.rpm
34cf05391500b866f1b0b4776046ab3f 2008.0/i586/mozilla-firefox-gu_IN-2.0.0.12-1mdv2008.0.i586.rpm
9b2954bd04ecc285f2535a828432d0df 2008.0/i586/mozilla-firefox-he-2.0.0.12-1mdv2008.0.i586.rpm
2356729d9b2e4b532838c7913ba30637 2008.0/i586/mozilla-firefox-hu-2.0.0.12-1mdv2008.0.i586.rpm
d213db926f0959643649708ed4c4af61 2008.0/i586/mozilla-firefox-it-2.0.0.12-1mdv2008.0.i586.rpm
352161c8c2aa1943e791cc58f0e3c785 2008.0/i586/mozilla-firefox-ja-2.0.0.12-1mdv2008.0.i586.rpm
72465fe9a44aeeb74a6cfd412f9e708b 2008.0/i586/mozilla-firefox-ka-2.0.0.12-1mdv2008.0.i586.rpm
445861082658f826f76f01c8f48ce040 2008.0/i586/mozilla-firefox-ko-2.0.0.12-1mdv2008.0.i586.rpm
b33adecf186e8301cd292075a699eef0 2008.0/i586/mozilla-firefox-ku-2.0.0.12-1mdv2008.0.i586.rpm
878a44794064d86bbc3a511fc9f94d1e 2008.0/i586/mozilla-firefox-lt-2.0.0.12-1mdv2008.0.i586.rpm
05bdf7d1f1d304f8e1e6aa2e990bd764 2008.0/i586/mozilla-firefox-mk-2.0.0.12-1mdv2008.0.i586.rpm
b32ae7f6ad74c87d2efed37df2150967 2008.0/i586/mozilla-firefox-mn-2.0.0.12-1mdv2008.0.i586.rpm
8fdeb19e609e8334379bd7b13d88fcb6 2008.0/i586/mozilla-firefox-nb_NO-2.0.0.12-1mdv2008.0.i586.rpm
4e3f6d3a1030791d16855755489fead0 2008.0/i586/mozilla-firefox-nl-2.0.0.12-1mdv2008.0.i586.rpm
71d850481e225951fb6ed40501976174 2008.0/i586/mozilla-firefox-nn_NO-2.0.0.12-1mdv2008.0.i586.rpm
8d5bb6c37b32575fc34c4334be6e1842 2008.0/i586/mozilla-firefox-pa_IN-2.0.0.12-1mdv2008.0.i586.rpm
848747d8c1a6b48808a7f7c6148e1d26 2008.0/i586/mozilla-firefox-pl-2.0.0.12-1mdv2008.0.i586.rpm
e1beba530c98af86e02164a948fcf08b 2008.0/i586/mozilla-firefox-pt_BR-2.0.0.12-1mdv2008.0.i586.rpm
3a9d3ef361497ee878f1f970a1916e2d 2008.0/i586/mozilla-firefox-pt_PT-2.0.0.12-1mdv2008.0.i586.rpm
994a4e5470f23522b3188de86b405edb 2008.0/i586/mozilla-firefox-ro-2.0.0.12-1mdv2008.0.i586.rpm
0862286c72978f7ed8ae34be4e0f3e4e 2008.0/i586/mozilla-firefox-ru-2.0.0.12-1mdv2008.0.i586.rpm
455ecd10092e5bec3904e72426cb7d17 2008.0/i586/mozilla-firefox-sk-2.0.0.12-1mdv2008.0.i586.rpm
49ea3406aeec377bf84d74e5407a9f9e 2008.0/i586/mozilla-firefox-sl-2.0.0.12-1mdv2008.0.i586.rpm
4e6074968ddd1ae114d3041c4742643d 2008.0/i586/mozilla-firefox-sv_SE-2.0.0.12-1mdv2008.0.i586.rpm
117e43ed744cf4363ccf9b7de9db90da 2008.0/i586/mozilla-firefox-tr-2.0.0.12-1mdv2008.0.i586.rpm
f4b7a624f8b7cd2c91c1a3a5c82c4c86 2008.0/i586/mozilla-firefox-uk-2.0.0.12-1mdv2008.0.i586.rpm
e023caab47e5409ae7892144b4603139 2008.0/i586/mozilla-firefox-zh_CN-2.0.0.12-1mdv2008.0.i586.rpm
bfce9fb35e295b3aab1937a5930f94cd 2008.0/i586/mozilla-firefox-zh_TW-2.0.0.12-1mdv2008.0.i586.rpm
3faf9dcb53903cfc255c8a83b441376d 2008.0/i586/totem-2.20.1-1.2mdv2008.0.i586.rpm
37614ee5b5d3e141573e5d17d142d419 2008.0/i586/totem-common-2.20.1-1.2mdv2008.0.i586.rpm
5d894ec0e4e9695b5c45897be5a3fe41 2008.0/i586/totem-gstreamer-2.20.1-1.2mdv2008.0.i586.rpm
bdda2275535580a00d87374804d8356a 2008.0/i586/totem-mozilla-2.20.1-1.2mdv2008.0.i586.rpm
b5b144ef52b3d0c79cfea70098e593ee 2008.0/i586/totem-mozilla-gstreamer-2.20.1-1.2mdv2008.0.i586.rpm
131b7e638a900ef5483b238760b3ce7e 2008.0/i586/yelp-2.20.0-3.2mdv2008.0.i586.rpm
fd64f784036f9a7a67ae7dc4bc840755 2008.0/SRPMS/devhelp-0.16-1.3mdv2008.0.src.rpm
483a9c4d9ae531f9b3586d3a2da2f8a2 2008.0/SRPMS/eclipse-3.3.0-0.20.8.3mdv2008.0.src.rpm
331b129d4ea2db89884b6531a8a7f58b 2008.0/SRPMS/epiphany-2.20.0-1.3mdv2008.0.src.rpm
3c7ab32d75b68e67a68b1933aa477fa9 2008.0/SRPMS/galeon-2.0.3-7.3mdv2008.0.src.rpm
4f71054efcad5f6ea4a41d3f003fd909 2008.0/SRPMS/gnome-python-extras-2.19.1-4.3mdv2008.0.src.rpm
64ec454e2292e0f3d39d1c3b23407957 2008.0/SRPMS/mozilla-firefox-2.0.0.12-1.1mdv2008.0.src.rpm
b0f611d44d02a710ed8d868d745cca25 2008.0/SRPMS/mozilla-firefox-ext-blogrovr-1.1.771-1.1mdv2008.0.src.rpm
344da985922776256af6accfba04672a 2008.0/SRPMS/mozilla-firefox-ext-foxmarks-2.0.43-1mdv2008.0.src.rpm
eb8583166df4ad6591d184af922824c3 2008.0/SRPMS/mozilla-firefox-ext-scribefire-1.4.2-4.1mdv2008.0.src.rpm
9c9ca299024b58a8c292c723724e4aa8 2008.0/SRPMS/mozilla-firefox-l10n-2.0.0.12-1mdv2008.0.src.rpm
db53f00eaa8cc296f6cd1109fe45cc69 2008.0/SRPMS/totem-2.20.1-1.2mdv2008.0.src.rpm
4429b4db2e0c4d1f27abccc8e140023e 2008.0/SRPMS/yelp-2.20.0-3.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
7637b945a5a1d92d319929e6116fff90 2008.0/x86_64/devhelp-0.16-1.3mdv2008.0.x86_64.rpm
e90b3b646f35eeb9ab56d5709139e44e 2008.0/x86_64/devhelp-plugins-0.16-1.3mdv2008.0.x86_64.rpm
f637d11794273584bab7709f72a93bc8 2008.0/x86_64/eclipse-cvs-client-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
90d38b352269c8cd1830752e68222146 2008.0/x86_64/eclipse-ecj-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
d9f6e45888de01e795f5d31fcc609d34 2008.0/x86_64/eclipse-jdt-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
8f2014eedbc9549489aaa9d3ccac141f 2008.0/x86_64/eclipse-pde-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
52268ee1aee89cc1fbbc39b9a49fa4a3 2008.0/x86_64/eclipse-pde-runtime-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
e51c76c8f9304dd47e24e84954d2bad7 2008.0/x86_64/eclipse-platform-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
f6d7a18638cf2264d90b82804dee0605 2008.0/x86_64/eclipse-rcp-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
2b14100415d56d45fd66a1038c03bc41 2008.0/x86_64/epiphany-2.20.0-1.3mdv2008.0.x86_64.rpm
18cec3625191d15787b77819c97992e0 2008.0/x86_64/epiphany-devel-2.20.0-1.3mdv2008.0.x86_64.rpm
672f2b365918d0d562a57451761f7175 2008.0/x86_64/galeon-2.0.3-7.3mdv2008.0.x86_64.rpm
620bcafdf53e73c4619c5a346c70a531 2008.0/x86_64/gnome-python-extras-2.19.1-4.3mdv2008.0.x86_64.rpm
1f954e8583d479e1921ec39e2842ed65 2008.0/x86_64/gnome-python-gda-2.19.1-4.3mdv2008.0.x86_64.rpm
d2b51bd56abca2be983d4d54c741f6fd 2008.0/x86_64/gnome-python-gda-devel-2.19.1-4.3mdv2008.0.x86_64.rpm
e5b9d75c878c43be0de65617a5c62dd8 2008.0/x86_64/gnome-python-gdl-2.19.1-4.3mdv2008.0.x86_64.rpm
c39535f16de1822b3afcbafb38cdd067 2008.0/x86_64/gnome-python-gksu-2.19.1-4.3mdv2008.0.x86_64.rpm
982509689a28dbc301c3f65278639ec8 2008.0/x86_64/gnome-python-gtkhtml2-2.19.1-4.3mdv2008.0.x86_64.rpm
7e324bc741e70a3b560ac7657d36b424 2008.0/x86_64/gnome-python-gtkmozembed-2.19.1-4.3mdv2008.0.x86_64.rpm
9acc6d3c83cdb74954a281dc62899599 2008.0/x86_64/gnome-python-gtkspell-2.19.1-4.3mdv2008.0.x86_64.rpm
fca20482c9fa5c36cc70ea4dbee013cf 2008.0/x86_64/lib64devhelp-1-devel-0.16-1.3mdv2008.0.x86_64.rpm
230116bc2d8c100fa6e79c751e8849e8 2008.0/x86_64/lib64devhelp-1_0-0.16-1.3mdv2008.0.x86_64.rpm
a99787473640413505d74dd9af737c33 2008.0/x86_64/lib64mozilla-firefox-devel-2.0.0.12-1.1mdv2008.0.x86_64.rpm
7765387decd77b6cd678ba97a80aa212 2008.0/x86_64/lib64mozilla-firefox2.0.0.12-2.0.0.12-1.1mdv2008.0.x86_64.rpm
f771f31ce21856d297af6b314e73bd6f 2008.0/x86_64/lib64totem-plparser-devel-2.20.1-1.2mdv2008.0.x86_64.rpm
8165c641a39c30be4147cbb006e6ce59 2008.0/x86_64/lib64totem-plparser7-2.20.1-1.2mdv2008.0.x86_64.rpm
f9d8ede28ccc73d9c4e1eb42c3b529dd 2008.0/x86_64/libswt3-gtk2-3.3.0-0.20.8.3mdv2008.0.x86_64.rpm
a2a62a67abf56f791fe8867de18c3d9f 2008.0/x86_64/mozilla-firefox-2.0.0.12-1.1mdv2008.0.x86_64.rpm
ca37b76d4c340aa31f696f7539e0ea33 2008.0/x86_64/mozilla-firefox-af-2.0.0.12-1mdv2008.0.x86_64.rpm
03bba40715b886951b4809058c61446a 2008.0/x86_64/mozilla-firefox-ar-2.0.0.12-1mdv2008.0.x86_64.rpm
b6ce56c92082b2e329941af2a48007f7 2008.0/x86_64/mozilla-firefox-be-2.0.0.12-1mdv2008.0.x86_64.rpm
d9fb339dc9374c58b5652d71f2a90454 2008.0/x86_64/mozilla-firefox-bg-2.0.0.12-1mdv2008.0.x86_64.rpm
ecb686040cfcc1741b0a328576214340 2008.0/x86_64/mozilla-firefox-br_FR-2.0.0.12-1mdv2008.0.x86_64.rpm
0554cc5ff06d136da6eb7e02d039eba2 2008.0/x86_64/mozilla-firefox-ca-2.0.0.12-1mdv2008.0.x86_64.rpm
faf68eb0c9a52a58d98290b74c98d7a0 2008.0/x86_64/mozilla-firefox-cs-2.0.0.12-1mdv2008.0.x86_64.rpm
105febad3e8a142f1b5741e53b7623b7 2008.0/x86_64/mozilla-firefox-da-2.0.0.12-1mdv2008.0.x86_64.rpm
a09f4b5117c11ca7415e0987471b3198 2008.0/x86_64/mozilla-firefox-de-2.0.0.12-1mdv2008.0.x86_64.rpm
9a4c5ebcb8fa0fd83f9b1b0448f74ff7 2008.0/x86_64/mozilla-firefox-el-2.0.0.12-1mdv2008.0.x86_64.rpm
e3d73c78cfd7f50aaaa0c7c50ae26133 2008.0/x86_64/mozilla-firefox-en_GB-2.0.0.12-1mdv2008.0.x86_64.rpm
733628c57cf6a1165db3ba8cfda4632f 2008.0/x86_64/mozilla-firefox-es_AR-2.0.0.12-1mdv2008.0.x86_64.rpm
2af0226fcdae799c8e4d9844fba5a060 2008.0/x86_64/mozilla-firefox-es_ES-2.0.0.12-1mdv2008.0.x86_64.rpm
67144ddc8c9226bdbcbaa9d9255e02b3 2008.0/x86_64/mozilla-firefox-et_EE-2.0.0.12-1mdv2008.0.x86_64.rpm
92888bed6a4187ee27af85da7a96aba9 2008.0/x86_64/mozilla-firefox-eu-2.0.0.12-1mdv2008.0.x86_64.rpm
6eaa41c4a0bdde8f016beb06e719e57c 2008.0/x86_64/mozilla-firefox-ext-blogrovr-1.1.771-1.1mdv2008.0.x86_64.rpm
f1453161a26e650c4172bf7a69dc2f52 2008.0/x86_64/mozilla-firefox-ext-foxmarks-2.0.43-1mdv2008.0.x86_64.rpm
3a7cbb41c223cc1eb64e70011a50a92e 2008.0/x86_64/mozilla-firefox-ext-scribefire-1.4.2-4.1mdv2008.0.x86_64.rpm
7d4987023db30662237b2dff17673112 2008.0/x86_64/mozilla-firefox-fi-2.0.0.12-1mdv2008.0.x86_64.rpm
665624041067cb596d20ac0fae0c56e1 2008.0/x86_64/mozilla-firefox-fr-2.0.0.12-1mdv2008.0.x86_64.rpm
e371bf004aee3199dae4818f156cc2a8 2008.0/x86_64/mozilla-firefox-fy-2.0.0.12-1mdv2008.0.x86_64.rpm
8187e9e50111404689936a361edcb9e0 2008.0/x86_64/mozilla-firefox-ga-2.0.0.12-1mdv2008.0.x86_64.rpm
b59b0c7598a9ff58d266ef445b60a6ea 2008.0/x86_64/mozilla-firefox-gnome-support-2.0.0.12-1.1mdv2008.0.x86_64.rpm
3da5205396822b8e7ddd189c9dede8db 2008.0/x86_64/mozilla-firefox-gu_IN-2.0.0.12-1mdv2008.0.x86_64.rpm
b6540fa0265f001e1ec7ea34c8d62964 2008.0/x86_64/mozilla-firefox-he-2.0.0.12-1mdv2008.0.x86_64.rpm
2ee06f3b7c50e7556f9495fbd72e2400 2008.0/x86_64/mozilla-firefox-hu-2.0.0.12-1mdv2008.0.x86_64.rpm
1293fc5f1ecfd8f73ee14ce4cd38d89b 2008.0/x86_64/mozilla-firefox-it-2.0.0.12-1mdv2008.0.x86_64.rpm
0bb358710509fd6e3d62eb8d89fd8277 2008.0/x86_64/mozilla-firefox-ja-2.0.0.12-1mdv2008.0.x86_64.rpm
f55afc6e06b1b1ffb81bb509fe1790c9 2008.0/x86_64/mozilla-firefox-ka-2.0.0.12-1mdv2008.0.x86_64.rpm
12f6237676be8832af1acf05ff64ebb2 2008.0/x86_64/mozilla-firefox-ko-2.0.0.12-1mdv2008.0.x86_64.rpm
12716873fa7cefc1ec056bdd82ae0667 2008.0/x86_64/mozilla-firefox-ku-2.0.0.12-1mdv2008.0.x86_64.rpm
dd794d67a43611fc29e34c068ee775d3 2008.0/x86_64/mozilla-firefox-lt-2.0.0.12-1mdv2008.0.x86_64.rpm
40d0a5fcf19888cb0de6ff20a00b2a2c 2008.0/x86_64/mozilla-firefox-mk-2.0.0.12-1mdv2008.0.x86_64.rpm
b240c1bcd60d2555c06134b166b356fa 2008.0/x86_64/mozilla-firefox-mn-2.0.0.12-1mdv2008.0.x86_64.rpm
ce6bee8f71969e259e66fc5ccd72f668 2008.0/x86_64/mozilla-firefox-nb_NO-2.0.0.12-1mdv2008.0.x86_64.rpm
f4620fd14b954c78709fcc01708f6053 2008.0/x86_64/mozilla-firefox-nl-2.0.0.12-1mdv2008.0.x86_64.rpm
e7a51c8d25fc46637845172a96a7366d 2008.0/x86_64/mozilla-firefox-nn_NO-2.0.0.12-1mdv2008.0.x86_64.rpm
cbd80830cf912bd3f0eb4b5e73de7c9b 2008.0/x86_64/mozilla-firefox-pa_IN-2.0.0.12-1mdv2008.0.x86_64.rpm
b86fa8fb3a49c00bc909efaf22b8e7e2 2008.0/x86_64/mozilla-firefox-pl-2.0.0.12-1mdv2008.0.x86_64.rpm
d5b445d81a5e497fefd3658bcbd76c9d 2008.0/x86_64/mozilla-firefox-pt_BR-2.0.0.12-1mdv2008.0.x86_64.rpm
f6c7c3d82b2e46c0c53674b23bd9f610 2008.0/x86_64/mozilla-firefox-pt_PT-2.0.0.12-1mdv2008.0.x86_64.rpm
c814c511adbc79d7506208c16964dd82 2008.0/x86_64/mozilla-firefox-ro-2.0.0.12-1mdv2008.0.x86_64.rpm
1dbfd204f8b7fdf1a1a3d8a318390982 2008.0/x86_64/mozilla-firefox-ru-2.0.0.12-1mdv2008.0.x86_64.rpm
ff96c040977b5387ac143cb542954605 2008.0/x86_64/mozilla-firefox-sk-2.0.0.12-1mdv2008.0.x86_64.rpm
405bfe183faf8385603c18dba56e462b 2008.0/x86_64/mozilla-firefox-sl-2.0.0.12-1mdv2008.0.x86_64.rpm
09ada1b389808bcfc841b4bf2f58d3b7 2008.0/x86_64/mozilla-firefox-sv_SE-2.0.0.12-1mdv2008.0.x86_64.rpm
5883cf4f015b18e84942ad3b334835ce 2008.0/x86_64/mozilla-firefox-tr-2.0.0.12-1mdv2008.0.x86_64.rpm
a7f9ee2ceb3b72c7e3855850b5b224d9 2008.0/x86_64/mozilla-firefox-uk-2.0.0.12-1mdv2008.0.x86_64.rpm
98171713d09ae8405d2d26eccb166352 2008.0/x86_64/mozilla-firefox-zh_CN-2.0.0.12-1mdv2008.0.x86_64.rpm
907b73fc00a166ab82c90cce9dcb2855 2008.0/x86_64/mozilla-firefox-zh_TW-2.0.0.12-1mdv2008.0.x86_64.rpm
c55f978b69d6c6d0d272613f4d34c6bf 2008.0/x86_64/totem-2.20.1-1.2mdv2008.0.x86_64.rpm
e7bf2fa7b63ba9217356f953a7d6e32a 2008.0/x86_64/totem-common-2.20.1-1.2mdv2008.0.x86_64.rpm
f32ec045873ee9a1e4eada8f14ef370d 2008.0/x86_64/totem-gstreamer-2.20.1-1.2mdv2008.0.x86_64.rpm
268619b6747e69c4011760509d6c4249 2008.0/x86_64/totem-mozilla-2.20.1-1.2mdv2008.0.x86_64.rpm
83e2f72cbce5e5cf2a4fa037e843eddc 2008.0/x86_64/totem-mozilla-gstreamer-2.20.1-1.2mdv2008.0.x86_64.rpm
ee8611f2b5580f819e2380b07ccf8879 2008.0/x86_64/yelp-2.20.0-3.2mdv2008.0.x86_64.rpm
fd64f784036f9a7a67ae7dc4bc840755 2008.0/SRPMS/devhelp-0.16-1.3mdv2008.0.src.rpm
483a9c4d9ae531f9b3586d3a2da2f8a2 2008.0/SRPMS/eclipse-3.3.0-0.20.8.3mdv2008.0.src.rpm
331b129d4ea2db89884b6531a8a7f58b 2008.0/SRPMS/epiphany-2.20.0-1.3mdv2008.0.src.rpm
3c7ab32d75b68e67a68b1933aa477fa9 2008.0/SRPMS/galeon-2.0.3-7.3mdv2008.0.src.rpm
4f71054efcad5f6ea4a41d3f003fd909 2008.0/SRPMS/gnome-python-extras-2.19.1-4.3mdv2008.0.src.rpm
64ec454e2292e0f3d39d1c3b23407957 2008.0/SRPMS/mozilla-firefox-2.0.0.12-1.1mdv2008.0.src.rpm
b0f611d44d02a710ed8d868d745cca25 2008.0/SRPMS/mozilla-firefox-ext-blogrovr-1.1.771-1.1mdv2008.0.src.rpm
344da985922776256af6accfba04672a 2008.0/SRPMS/mozilla-firefox-ext-foxmarks-2.0.43-1mdv2008.0.src.rpm
eb8583166df4ad6591d184af922824c3 2008.0/SRPMS/mozilla-firefox-ext-scribefire-1.4.2-4.1mdv2008.0.src.rpm
9c9ca299024b58a8c292c723724e4aa8 2008.0/SRPMS/mozilla-firefox-l10n-2.0.0.12-1mdv2008.0.src.rpm
db53f00eaa8cc296f6cd1109fe45cc69 2008.0/SRPMS/totem-2.20.1-1.2mdv2008.0.src.rpm
4429b4db2e0c4d1f27abccc8e140023e 2008.0/SRPMS/yelp-2.20.0-3.2mdv2008.0.src.rpm
Corporate 3.0:
550dadd02da46677bd28e11be84af07c corporate/3.0/i586/libnspr4-2.0.0.12-0.1.C30mdk.i586.rpm
4878b838f7b58178db5c5810db1f9dce corporate/3.0/i586/libnspr4-devel-2.0.0.12-0.1.C30mdk.i586.rpm
43eff3ed0e41653190e4d3ae3579cda4 corporate/3.0/i586/libnspr4-static-devel-2.0.0.12-0.1.C30mdk.i586.rpm
c1844362f249aca14692aba19bd0e11f corporate/3.0/i586/libnss3-2.0.0.12-0.1.C30mdk.i586.rpm
8beb45a5fc33b02bf4d148ae9e440414 corporate/3.0/i586/libnss3-devel-2.0.0.12-0.1.C30mdk.i586.rpm
c9aa59e8bb3ac4b4984231d8f01a8505 corporate/3.0/i586/mozilla-firefox-2.0.0.12-0.1.C30mdk.i586.rpm
b1baa8652f174fb7f7abed9b1745bf96 corporate/3.0/i586/mozilla-firefox-ar-2.0.0.12-0.1.C30mdk.i586.rpm
ad5a0a4684cfee839501ecb025d547a2 corporate/3.0/i586/mozilla-firefox-bg-2.0.0.12-0.1.C30mdk.i586.rpm
26a215b87cd1112589a98544dd0ac41e corporate/3.0/i586/mozilla-firefox-br-2.0.0.12-0.1.C30mdk.i586.rpm
43860455bf9bc4bdc0058f6188eff583 corporate/3.0/i586/mozilla-firefox-ca-2.0.0.12-0.1.C30mdk.i586.rpm
ff84769e6cc3e2c176eea3f1378b7f13 corporate/3.0/i586/mozilla-firefox-cs-2.0.0.12-0.1.C30mdk.i586.rpm
712e3c9a7e2c1f31a212a50b6a916d5b corporate/3.0/i586/mozilla-firefox-da-2.0.0.12-0.1.C30mdk.i586.rpm
21384ac68a9a158d05c8a113f657aba7 corporate/3.0/i586/mozilla-firefox-de-2.0.0.12-0.1.C30mdk.i586.rpm
ff3b79ce5a8557d51215a95a91ce7a57 corporate/3.0/i586/mozilla-firefox-devel-2.0.0.12-0.1.C30mdk.i586.rpm
817f8ac7f07ca552507861270ab673b1 corporate/3.0/i586/mozilla-firefox-el-2.0.0.12-0.1.C30mdk.i586.rpm
9e4bf251eb7211e3c13c652470edd2f4 corporate/3.0/i586/mozilla-firefox-es-2.0.0.12-0.1.C30mdk.i586.rpm
50bce55b911214d0b6169fbc5b022f10 corporate/3.0/i586/mozilla-firefox-es_AR-2.0.0.12-0.1.C30mdk.i586.rpm
a119c958b460012f0692de2e95d88dcc corporate/3.0/i586/mozilla-firefox-eu-2.0.0.12-0.1.C30mdk.i586.rpm
d1563fb09d46065a4142c346e2b51f7a corporate/3.0/i586/mozilla-firefox-fi-2.0.0.12-0.1.C30mdk.i586.rpm
e6683f7f2671ac6e391feb1856e07b4c corporate/3.0/i586/mozilla-firefox-fr-2.0.0.12-0.1.C30mdk.i586.rpm
32ed3343c587ce65670f8889215efd13 corporate/3.0/i586/mozilla-firefox-fy-2.0.0.12-0.1.C30mdk.i586.rpm
1b4949f6924352d891e267a372976ee7 corporate/3.0/i586/mozilla-firefox-ga-2.0.0.12-0.1.C30mdk.i586.rpm
2feaa589901cdd5814e178f93a67a9d2 corporate/3.0/i586/mozilla-firefox-gu_IN-2.0.0.12-0.1.C30mdk.i586.rpm
e3dd4574d2c17e0dd0ab6c24e01a7ef0 corporate/3.0/i586/mozilla-firefox-he-2.0.0.12-0.1.C30mdk.i586.rpm
2bc8200cea954caeb99a101f15c82fa3 corporate/3.0/i586/mozilla-firefox-hu-2.0.0.12-0.1.C30mdk.i586.rpm
e4089156af8dd0ef08a75896345c4abe corporate/3.0/i586/mozilla-firefox-it-2.0.0.12-0.1.C30mdk.i586.rpm
17b4af5dd41ffa19979372389bbe5894 corporate/3.0/i586/mozilla-firefox-ja-2.0.0.12-0.1.C30mdk.i586.rpm
d360ae8b94e9f161654f0e1ad3db809a corporate/3.0/i586/mozilla-firefox-ko-2.0.0.12-0.1.C30mdk.i586.rpm
3e582e8d8b624d54fe07883213e20d90 corporate/3.0/i586/mozilla-firefox-lt-2.0.0.12-0.1.C30mdk.i586.rpm
7e490e7bcb8cda57769866a8b810e443 corporate/3.0/i586/mozilla-firefox-mk-2.0.0.12-0.1.C30mdk.i586.rpm
f309b26c279b470d8337f65914674b89 corporate/3.0/i586/mozilla-firefox-nb-2.0.0.12-0.1.C30mdk.i586.rpm
720d18b177136d5d96910329d9f7ee25 corporate/3.0/i586/mozilla-firefox-nl-2.0.0.12-0.1.C30mdk.i586.rpm
24c61982d71a2d63bf71bb0faccf90a1 corporate/3.0/i586/mozilla-firefox-pa_IN-2.0.0.12-0.1.C30mdk.i586.rpm
036712e98bbbef9a7966dfbd81954866 corporate/3.0/i586/mozilla-firefox-pl-2.0.0.12-0.1.C30mdk.i586.rpm
0619996ce1e3dc99084c013100918c71 corporate/3.0/i586/mozilla-firefox-pt-2.0.0.12-0.1.C30mdk.i586.rpm
0f14d3385b03309473925c5b139afee3 corporate/3.0/i586/mozilla-firefox-pt_BR-2.0.0.12-0.1.C30mdk.i586.rpm
b7cd96a7431cb825c7db41bb4c85cc0c corporate/3.0/i586/mozilla-firefox-ro-2.0.0.12-0.1.C30mdk.i586.rpm
0f22a5c8cc4ebe9c95965f7f6a35e25e corporate/3.0/i586/mozilla-firefox-ru-2.0.0.12-0.1.C30mdk.i586.rpm
a1c92a73dbad5c475d76cf4eb8fe8947 corporate/3.0/i586/mozilla-firefox-sk-2.0.0.12-0.1.C30mdk.i586.rpm
d0e46219f3bfb285d1aa5042a11c4c2f corporate/3.0/i586/mozilla-firefox-sl-2.0.0.12-0.1.C30mdk.i586.rpm
65fbb88b91f6f18faf6bfcd7637d99b9 corporate/3.0/i586/mozilla-firefox-sv-2.0.0.12-0.1.C30mdk.i586.rpm
1e6dd377fc1e89cf1b70faa96e234604 corporate/3.0/i586/mozilla-firefox-tr-2.0.0.12-0.1.C30mdk.i586.rpm
1aabd75d4be1b00ed69f61805737dc43 corporate/3.0/i586/mozilla-firefox-uk-2.0.0.12-0.1.C30mdk.i586.rpm
0f5612378dae917f0268326ad0036b87 corporate/3.0/i586/mozilla-firefox-zh_CN-2.0.0.12-0.1.C30mdk.i586.rpm
32f3121c6d0b5491057d1cfd3380a8b6 corporate/3.0/i586/mozilla-firefox-zh_TW-2.0.0.12-0.1.C30mdk.i586.rpm
bc6071a867462a8f2a44aa4896530fe6 corporate/3.0/SRPMS/mozilla-firefox-2.0.0.12-0.1.C30mdk.src.rpm
3716609be655be6acb6f567c0eb7dbea corporate/3.0/SRPMS/mozilla-firefox-l10n-2.0.0.12-0.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
23db9d7edef5b8116b6f3cf853819461 corporate/3.0/x86_64/lib64nspr4-2.0.0.12-0.1.C30mdk.x86_64.rpm
0729f4ac4b61f25e3ae816e12acef5ea corporate/3.0/x86_64/lib64nspr4-devel-2.0.0.12-0.1.C30mdk.x86_64.rpm
54d5a161aeda3c3a1754f3b559eec78b corporate/3.0/x86_64/lib64nspr4-static-devel-2.0.0.12-0.1.C30mdk.x86_64.rpm
53339583f214c0cfa61966b2730d4676 corporate/3.0/x86_64/lib64nss3-2.0.0.12-0.1.C30mdk.x86_64.rpm
a4a1bdc3da133c4d39950b865ebb6cab corporate/3.0/x86_64/lib64nss3-devel-2.0.0.12-0.1.C30mdk.x86_64.rpm
c8476b439226f4db336d0500bbfcb441 corporate/3.0/x86_64/mozilla-firefox-2.0.0.12-0.1.C30mdk.x86_64.rpm
9562e49d98011a072ee5c1eb35ee42c7 corporate/3.0/x86_64/mozilla-firefox-ar-2.0.0.12-0.1.C30mdk.x86_64.rpm
aa61d7753d91cf385ecf79a42e8e3aec corporate/3.0/x86_64/mozilla-firefox-bg-2.0.0.12-0.1.C30mdk.x86_64.rpm
c8c27fcd9be3ee89f9aea52489bd8c03 corporate/3.0/x86_64/mozilla-firefox-br-2.0.0.12-0.1.C30mdk.x86_64.rpm
98eba3b228afab21f0c2df55a08b79d6 corporate/3.0/x86_64/mozilla-firefox-ca-2.0.0.12-0.1.C30mdk.x86_64.rpm
cc3f2d7c0e3b5f4b893d63790c512636 corporate/3.0/x86_64/mozilla-firefox-cs-2.0.0.12-0.1.C30mdk.x86_64.rpm
d7d36a8f27c362cec8b48dbff49fe46a corporate/3.0/x86_64/mozilla-firefox-da-2.0.0.12-0.1.C30mdk.x86_64.rpm
ffe44e168f6524cd80ceb21207c88006 corporate/3.0/x86_64/mozilla-firefox-de-2.0.0.12-0.1.C30mdk.x86_64.rpm
aaf6416b5ea970b3ef61b4b650f13867 corporate/3.0/x86_64/mozilla-firefox-devel-2.0.0.12-0.1.C30mdk.x86_64.rpm
ebaa3a59ec5594164601c5968e6b128f corporate/3.0/x86_64/mozilla-firefox-el-2.0.0.12-0.1.C30mdk.x86_64.rpm
ceb7ce9e4eccc391712bbec3737e1280 corporate/3.0/x86_64/mozilla-firefox-es-2.0.0.12-0.1.C30mdk.x86_64.rpm
1555aa2ecb1e8beb1949edd6e1672c9d corporate/3.0/x86_64/mozilla-firefox-es_AR-2.0.0.12-0.1.C30mdk.x86_64.rpm
68fa37147805715cfa1bc399c3a3ae12 corporate/3.0/x86_64/mozilla-firefox-eu-2.0.0.12-0.1.C30mdk.x86_64.rpm
f50964fc639fd5b394b513c42c700076 corporate/3.0/x86_64/mozilla-firefox-fi-2.0.0.12-0.1.C30mdk.x86_64.rpm
3bc78e57665df763604b1f30329fad7e corporate/3.0/x86_64/mozilla-firefox-fr-2.0.0.12-0.1.C30mdk.x86_64.rpm
9e2139f1c4d6642be56727ac4bc9bc31 corporate/3.0/x86_64/mozilla-firefox-fy-2.0.0.12-0.1.C30mdk.x86_64.rpm
091b74c2f82f9b59d1b3b14ce8de6adb corporate/3.0/x86_64/mozilla-firefox-ga-2.0.0.12-0.1.C30mdk.x86_64.rpm
c27e033bd501d9b09bc83f9d43be0442 corporate/3.0/x86_64/mozilla-firefox-gu_IN-2.0.0.12-0.1.C30mdk.x86_64.rpm
32f71e68bb9baacad0046e9d264ed141 corporate/3.0/x86_64/mozilla-firefox-he-2.0.0.12-0.1.C30mdk.x86_64.rpm
381fa53f3ea9ae644151f891e0688bbc corporate/3.0/x86_64/mozilla-firefox-hu-2.0.0.12-0.1.C30mdk.x86_64.rpm
5c3ae6486d80294e3838de7ea8dd343b corporate/3.0/x86_64/mozilla-firefox-it-2.0.0.12-0.1.C30mdk.x86_64.rpm
f97e6f40ccb3928672726b6adabd83ac corporate/3.0/x86_64/mozilla-firefox-ja-2.0.0.12-0.1.C30mdk.x86_64.rpm
3516aab6dfbee80f7c38ad30988d200c corporate/3.0/x86_64/mozilla-firefox-ko-2.0.0.12-0.1.C30mdk.x86_64.rpm
035763a9668bb260b123850757a62144 corporate/3.0/x86_64/mozilla-firefox-lt-2.0.0.12-0.1.C30mdk.x86_64.rpm
97af652341c9904dfd11b3ed9264040c corporate/3.0/x86_64/mozilla-firefox-mk-2.0.0.12-0.1.C30mdk.x86_64.rpm
2f1324470036d1267a4ab4b0e08c4596 corporate/3.0/x86_64/mozilla-firefox-nb-2.0.0.12-0.1.C30mdk.x86_64.rpm
e75ca84863e4d2c5fce1a4a455c0171f corporate/3.0/x86_64/mozilla-firefox-nl-2.0.0.12-0.1.C30mdk.x86_64.rpm
c83fc2d11b218e35937ba8929ea4255d corporate/3.0/x86_64/mozilla-firefox-pa_IN-2.0.0.12-0.1.C30mdk.x86_64.rpm
c183055127e20b1eb233ffe81b886817 corporate/3.0/x86_64/mozilla-firefox-pl-2.0.0.12-0.1.C30mdk.x86_64.rpm
3ebb35651e4705b782d0f4cdff5c64ee corporate/3.0/x86_64/mozilla-firefox-pt-2.0.0.12-0.1.C30mdk.x86_64.rpm
39a6d80360c585312f02a307b0840c2d corporate/3.0/x86_64/mozilla-firefox-pt_BR-2.0.0.12-0.1.C30mdk.x86_64.rpm
90f966ed0e5b6d549909d6ae619ee0e6 corporate/3.0/x86_64/mozilla-firefox-ro-2.0.0.12-0.1.C30mdk.x86_64.rpm
74e8392f29214ddef8f0369afed3265f corporate/3.0/x86_64/mozilla-firefox-ru-2.0.0.12-0.1.C30mdk.x86_64.rpm
57ea4a96ea3610ecbb438ff32ac9661a corporate/3.0/x86_64/mozilla-firefox-sk-2.0.0.12-0.1.C30mdk.x86_64.rpm
df8f8377b181bb1f0b38c0575081f590 corporate/3.0/x86_64/mozilla-firefox-sl-2.0.0.12-0.1.C30mdk.x86_64.rpm
f603bed6dbea7f856a992c15e2c4b248 corporate/3.0/x86_64/mozilla-firefox-sv-2.0.0.12-0.1.C30mdk.x86_64.rpm
bff17af242fd945eb81e7a82482f6d6b corporate/3.0/x86_64/mozilla-firefox-tr-2.0.0.12-0.1.C30mdk.x86_64.rpm
297fa42612958e1e62f4d2509c0cac8f corporate/3.0/x86_64/mozilla-firefox-uk-2.0.0.12-0.1.C30mdk.x86_64.rpm
fdfba5ea07d613b6e6c3449469af1d8a corporate/3.0/x86_64/mozilla-firefox-zh_CN-2.0.0.12-0.1.C30mdk.x86_64.rpm
93c97d643d6fa49221f6242617acfc15 corporate/3.0/x86_64/mozilla-firefox-zh_TW-2.0.0.12-0.1.C30mdk.x86_64.rpm
bc6071a867462a8f2a44aa4896530fe6 corporate/3.0/SRPMS/mozilla-firefox-2.0.0.12-0.1.C30mdk.src.rpm
3716609be655be6acb6f567c0eb7dbea corporate/3.0/SRPMS/mozilla-firefox-l10n-2.0.0.12-0.1.C30mdk.src.rpm
Corporate 4.0:
1d1711379f878dc9870bd4413e8e7f68 corporate/4.0/i586/libnspr4-2.0.0.12-0.1.20060mlcs4.i586.rpm
0d7f47aad1001d5131e9aa1de7629982 corporate/4.0/i586/libnspr4-devel-2.0.0.12-0.1.20060mlcs4.i586.rpm
4dc18c70a562094a2a35f6e4473860ce corporate/4.0/i586/libnspr4-static-devel-2.0.0.12-0.1.20060mlcs4.i586.rpm
07af2aec6447f914d2b35dec625b713f corporate/4.0/i586/libnss3-2.0.0.12-0.1.20060mlcs4.i586.rpm
089ae34703ea533c88191b886ed050a2 corporate/4.0/i586/libnss3-devel-2.0.0.12-0.1.20060mlcs4.i586.rpm
91c7705419d9ba1c6f0662e3bc363bf6 corporate/4.0/i586/mozilla-firefox-2.0.0.12-0.1.20060mlcs4.i586.rpm
7408018fbb857928a5af67ccb0e90886 corporate/4.0/i586/mozilla-firefox-af-2.0.0.12-0.1.20060mlcs4.i586.rpm
80f7f6d7f638005a44e570ed28507ea6 corporate/4.0/i586/mozilla-firefox-ar-2.0.0.12-0.1.20060mlcs4.i586.rpm
322684cd222712ce7fdc179ecd5f33b7 corporate/4.0/i586/mozilla-firefox-be-2.0.0.12-0.1.20060mlcs4.i586.rpm
a7d1d5f436099bcad673f3bf3931c774 corporate/4.0/i586/mozilla-firefox-bg-2.0.0.12-0.1.20060mlcs4.i586.rpm
c17e5bef41741156084573378cc68600 corporate/4.0/i586/mozilla-firefox-br_FR-2.0.0.12-0.1.20060mlcs4.i586.rpm
2a6ead1a302cfecc5faa8ea663c560da corporate/4.0/i586/mozilla-firefox-ca-2.0.0.12-0.1.20060mlcs4.i586.rpm
5695e1d5884f70f853522cee17e80ca5 corporate/4.0/i586/mozilla-firefox-cs-2.0.0.12-0.1.20060mlcs4.i586.rpm
a478f4f622ffbb68551fc6dab3412b41 corporate/4.0/i586/mozilla-firefox-da-2.0.0.12-0.1.20060mlcs4.i586.rpm
b573268e97885502650536df6d5e8d41 corporate/4.0/i586/mozilla-firefox-de-2.0.0.12-0.1.20060mlcs4.i586.rpm
047972e5977f81ede7b12737bc986016 corporate/4.0/i586/mozilla-firefox-devel-2.0.0.12-0.1.20060mlcs4.i586.rpm
7c166d1cf63e97c0dfc7fffa95c9c05a corporate/4.0/i586/mozilla-firefox-el-2.0.0.12-0.1.20060mlcs4.i586.rpm
cebc280567909d6019221908ab8d8005 corporate/4.0/i586/mozilla-firefox-en_GB-2.0.0.12-0.1.20060mlcs4.i586.rpm
1f55d95a626c5e3e60f1835ec38f3030 corporate/4.0/i586/mozilla-firefox-es_AR-2.0.0.12-0.1.20060mlcs4.i586.rpm
f3b8a973d1b877940228971660894755 corporate/4.0/i586/mozilla-firefox-es_ES-2.0.0.12-0.1.20060mlcs4.i586.rpm
8b062bf830d02da9b0633fb5b0d8694b corporate/4.0/i586/mozilla-firefox-et_EE-2.0.0.12-0.1.20060mlcs4.i586.rpm
99155f12e37fa7f0d233afbf7e6eb77c corporate/4.0/i586/mozilla-firefox-eu-2.0.0.12-0.1.20060mlcs4.i586.rpm
101d3e38b83859fdccd147befe69e323 corporate/4.0/i586/mozilla-firefox-fi-2.0.0.12-0.1.20060mlcs4.i586.rpm
591382083fd187a78b807f2058a47500 corporate/4.0/i586/mozilla-firefox-fr-2.0.0.12-0.1.20060mlcs4.i586.rpm
31c0256fd7f5611dcadac9d65299e4d1 corporate/4.0/i586/mozilla-firefox-fy-2.0.0.12-0.1.20060mlcs4.i586.rpm
88ddcd6d685311d4935eb9c920df7f5a corporate/4.0/i586/mozilla-firefox-ga-2.0.0.12-0.1.20060mlcs4.i586.rpm
f16d908c50d3367edf84d8f57ab98658 corporate/4.0/i586/mozilla-firefox-gu_IN-2.0.0.12-0.1.20060mlcs4.i586.rpm
de1d6367ee761e4795a479b56e386db7 corporate/4.0/i586/mozilla-firefox-he-2.0.0.12-0.1.20060mlcs4.i586.rpm
77aec187f4ed84e887c0a7f309f4b392 corporate/4.0/i586/mozilla-firefox-hu-2.0.0.12-0.1.20060mlcs4.i586.rpm
282b43d2d3588e402f543db6e04f2f0f corporate/4.0/i586/mozilla-firefox-it-2.0.0.12-0.1.20060mlcs4.i586.rpm
b47cc4f29ae05002de87dec506629da4 corporate/4.0/i586/mozilla-firefox-ja-2.0.0.12-0.1.20060mlcs4.i586.rpm
293674a0d6da859c704bbf810ec70058 corporate/4.0/i586/mozilla-firefox-ka-2.0.0.12-0.1.20060mlcs4.i586.rpm
545f8f041f6b9261e82a4aac2cb43252 corporate/4.0/i586/mozilla-firefox-ko-2.0.0.12-0.1.20060mlcs4.i586.rpm
c302d3b9648c5000e3f7901bb4bee1f3 corporate/4.0/i586/mozilla-firefox-ku-2.0.0.12-0.1.20060mlcs4.i586.rpm
731481cef1ae784c12cbc315578cccc4 corporate/4.0/i586/mozilla-firefox-lt-2.0.0.12-0.1.20060mlcs4.i586.rpm
dd7c48caf2f47bdf798b59ea3ae559f0 corporate/4.0/i586/mozilla-firefox-mk-2.0.0.12-0.1.20060mlcs4.i586.rpm
5b253e55912e1a02d6f0dc83b553dbc9 corporate/4.0/i586/mozilla-firefox-mn-2.0.0.12-0.1.20060mlcs4.i586.rpm
cd40523fa6a2d66fe7da492ffe4ad14e corporate/4.0/i586/mozilla-firefox-nb_NO-2.0.0.12-0.1.20060mlcs4.i586.rpm
f2a96a4a1164c6e2fa15fb9f679f7b09 corporate/4.0/i586/mozilla-firefox-nl-2.0.0.12-0.1.20060mlcs4.i586.rpm
06cc7a4e01a22db0d2245c28310f30cf corporate/4.0/i586/mozilla-firefox-nn_NO-2.0.0.12-0.1.20060mlcs4.i586.rpm
f775f685d33f5f72db3e38b126818981 corporate/4.0/i586/mozilla-firefox-pa_IN-2.0.0.12-0.1.20060mlcs4.i586.rpm
43a81c2218d37a9d78426616805db926 corporate/4.0/i586/mozilla-firefox-pl-2.0.0.12-0.1.20060mlcs4.i586.rpm
4663ab7aa12e2d3b76dba84708023fe1 corporate/4.0/i586/mozilla-firefox-pt_BR-2.0.0.12-0.1.20060mlcs4.i586.rpm
54471048e1c8cb1db9a7b4969bf2746e corporate/4.0/i586/mozilla-firefox-pt_PT-2.0.0.12-0.1.20060mlcs4.i586.rpm
8254befda8ff5971ceb82c10401d635b corporate/4.0/i586/mozilla-firefox-ro-2.0.0.12-0.1.20060mlcs4.i586.rpm
3b046ee77e70b291e7c59c01be14bc03 corporate/4.0/i586/mozilla-firefox-ru-2.0.0.12-0.1.20060mlcs4.i586.rpm
c657ff4c7aee04107a1ff720c308af1f corporate/4.0/i586/mozilla-firefox-sk-2.0.0.12-0.1.20060mlcs4.i586.rpm
e20b0dfc4235bc5f970de1f788875f62 corporate/4.0/i586/mozilla-firefox-sl-2.0.0.12-0.1.20060mlcs4.i586.rpm
017b941dd46c33b86b89b59b52488648 corporate/4.0/i586/mozilla-firefox-sv_SE-2.0.0.12-0.1.20060mlcs4.i586.rpm
548ff5316add85b2242194931546b211 corporate/4.0/i586/mozilla-firefox-tr-2.0.0.12-0.1.20060mlcs4.i586.rpm
d0a98b2311dcffe4f4aaa9cb18af9c59 corporate/4.0/i586/mozilla-firefox-uk-2.0.0.12-0.1.20060mlcs4.i586.rpm
1f9348318f243fe9125a01e68fb3a621 corporate/4.0/i586/mozilla-firefox-zh_CN-2.0.0.12-0.1.20060mlcs4.i586.rpm
ef213595b8e62754329e80e9b3482eb1 corporate/4.0/i586/mozilla-firefox-zh_TW-2.0.0.12-0.1.20060mlcs4.i586.rpm
e9a3ebed36c203507377ceda77761c7f corporate/4.0/SRPMS/mozilla-firefox-2.0.0.12-0.1.20060mlcs4.src.rpm
239d3534086a45aec6b748c8a392848d corporate/4.0/SRPMS/mozilla-firefox-l10n-2.0.0.12-0.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
6f27683c589e7cfe916aea2acc9ea4c5 corporate/4.0/x86_64/lib64nspr4-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
0b49dc9f56bfdbcab6667c317cd09d20 corporate/4.0/x86_64/lib64nspr4-devel-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
3b30beb9068bb3c4c93a2851efe5a072 corporate/4.0/x86_64/lib64nspr4-static-devel-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
1b1317be6976c1813bad0fae43195672 corporate/4.0/x86_64/lib64nss3-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
4462f8c4edae09073be451aa5687a9d5 corporate/4.0/x86_64/lib64nss3-devel-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
7a09a6157916830003822a98fe6cfacb corporate/4.0/x86_64/mozilla-firefox-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
0d65bb5086ea4a27857d6a2b9c06fd28 corporate/4.0/x86_64/mozilla-firefox-af-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
a73e472c10837caa909e4757c8a38a13 corporate/4.0/x86_64/mozilla-firefox-ar-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
c1d2fc656d5480c7efe54206e0cba359 corporate/4.0/x86_64/mozilla-firefox-be-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
187a400e7cba77d1d557ad1661c89f70 corporate/4.0/x86_64/mozilla-firefox-bg-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
848f364c27f60a1b57f651a11fd7bfc9 corporate/4.0/x86_64/mozilla-firefox-br_FR-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
fc687b68c63ad17b029aaf40b09081bd corporate/4.0/x86_64/mozilla-firefox-ca-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
e0f608bc089b65b7d8f4c39e70fdb07f corporate/4.0/x86_64/mozilla-firefox-cs-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
757e556773ac9d8daca19a8ee900d852 corporate/4.0/x86_64/mozilla-firefox-da-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
e29b10677a086988ce206e2ea8046176 corporate/4.0/x86_64/mozilla-firefox-de-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
469fff1b83157501441463e6d448a5db corporate/4.0/x86_64/mozilla-firefox-devel-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
883b2bfccc861c66d87ee2d743ccdcfb corporate/4.0/x86_64/mozilla-firefox-el-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
df11d3c06d75e44370f5c4d51aec25a3 corporate/4.0/x86_64/mozilla-firefox-en_GB-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
ca1e033902408029c4fd40af3be1884e corporate/4.0/x86_64/mozilla-firefox-es_AR-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
abc14977ab3e412fc421d36b1f5e5a05 corporate/4.0/x86_64/mozilla-firefox-es_ES-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
771b80cadf087492fe3322b7a6f7f66f corporate/4.0/x86_64/mozilla-firefox-et_EE-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
15a19b591c1349aed2021869e2a4c66f corporate/4.0/x86_64/mozilla-firefox-eu-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
d93321763495ff74aea00cee5dc084db corporate/4.0/x86_64/mozilla-firefox-fi-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
aa1fc91f9e645543766005a4752778dd corporate/4.0/x86_64/mozilla-firefox-fr-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
eddf29eeda44341e9cc838f1c6b24d19 corporate/4.0/x86_64/mozilla-firefox-fy-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
2e838ecca5557cc805641c3d0a285011 corporate/4.0/x86_64/mozilla-firefox-ga-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
4809fd91537881354a71fc93ff98449c corporate/4.0/x86_64/mozilla-firefox-gu_IN-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
a1617c1c7ae11b0a59e4c20e28b32559 corporate/4.0/x86_64/mozilla-firefox-he-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
2d1a864a44662e615dd169969cdac87a corporate/4.0/x86_64/mozilla-firefox-hu-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
9daafb45ed2580d3aa942fb9c2724afa corporate/4.0/x86_64/mozilla-firefox-it-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
a9b48b99056e9357e8f93234ffc35ddd corporate/4.0/x86_64/mozilla-firefox-ja-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
c16c37481ea46a9cd9925cb6a817c1c3 corporate/4.0/x86_64/mozilla-firefox-ka-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
228fa42007d14c1b14e9de4baf5dd736 corporate/4.0/x86_64/mozilla-firefox-ko-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
a1943be2528497fce78f3e046a75e133 corporate/4.0/x86_64/mozilla-firefox-ku-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
a36832b9cb2d40e20001ef05c7976ddc corporate/4.0/x86_64/mozilla-firefox-lt-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
0556b33cd92d1d98ffb76b75f00ea560 corporate/4.0/x86_64/mozilla-firefox-mk-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
94962bae734a9f359faf26c98db1ac0b corporate/4.0/x86_64/mozilla-firefox-mn-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
6327ba03cbceb74e666dd777511d2a20 corporate/4.0/x86_64/mozilla-firefox-nb_NO-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
aaa50342a183c21a0fb8e9971e47906e corporate/4.0/x86_64/mozilla-firefox-nl-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
a2433065a1d07f75399737767c455f7e corporate/4.0/x86_64/mozilla-firefox-nn_NO-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
214139bf12caf296595593ab5482d0e5 corporate/4.0/x86_64/mozilla-firefox-pa_IN-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
2e4fe93846ddfcbb40418de9cc8e2fad corporate/4.0/x86_64/mozilla-firefox-pl-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
ec0005d0f605c13b271c462d8a1e3803 corporate/4.0/x86_64/mozilla-firefox-pt_BR-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
26e0d940070213998d15c6de8cd4a2e3 corporate/4.0/x86_64/mozilla-firefox-pt_PT-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
dd357d608e05e3b3690916ac18658d60 corporate/4.0/x86_64/mozilla-firefox-ro-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
2517bd66238ea45344c179dc040b3e35 corporate/4.0/x86_64/mozilla-firefox-ru-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
a36da3c0bdd8b7b795c8231dbe38ef0e corporate/4.0/x86_64/mozilla-firefox-sk-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
81da62c563e988f6774e92f7bb89ec08 corporate/4.0/x86_64/mozilla-firefox-sl-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
049a3781090a939f28ea96feda01dc43 corporate/4.0/x86_64/mozilla-firefox-sv_SE-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
464a604c992f8c6e6ac2e9b30deec767 corporate/4.0/x86_64/mozilla-firefox-tr-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
e893954f8e64d1e9d0750e22a5ec2eae corporate/4.0/x86_64/mozilla-firefox-uk-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
4e176083661abe3e461e43381659146e corporate/4.0/x86_64/mozilla-firefox-zh_CN-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
b030162e1689f266f9d11d537546d50f corporate/4.0/x86_64/mozilla-firefox-zh_TW-2.0.0.12-0.1.20060mlcs4.x86_64.rpm
e9a3ebed36c203507377ceda77761c7f corporate/4.0/SRPMS/mozilla-firefox-2.0.0.12-0.1.20060mlcs4.src.rpm
239d3534086a45aec6b748c8a392848d corporate/4.0/SRPMS/mozilla-firefox-l10n-2.0.0.12-0.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
iD8DBQFHvzANmqjQ0CJFipgRAnAJAJ9WP5c754QfYoGIwYl7Q+g7bYtvkACgys8n
LD1VivpQi4F20e4H0MamS58=
=oe/t
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
var-201310-0596
|
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component. In a typical operating environment, these are of low
security risk as the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-10-15-1 Java for OS X 2013-005 and
Mac OS X v10.6 Update 17
Java for OS X 2013-005 and Mac OS X v10.6 Update 17 is now available
and addresses the following:
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_51
Description: 8011782 Multiple vulnerabilities existed in Java
1.6.0_51, the most serious of which may allow an untrusted Java
applet to execute arbitrary code outside the Java sandbox. Visiting a
web page containing a maliciously crafted untrusted Java applet may
lead to arbitrary code execution with the privileges of the current
user. These issues were addressed by updating to Java version
1.6.0_65. Further information is available via the Java website at ht
tp://www.oracle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-3829
CVE-2013-4002
CVE-2013-5772
CVE-2013-5774
CVE-2013-5776
CVE-2013-5778
CVE-2013-5780
CVE-2013-5782
CVE-2013-5783
CVE-2013-5784
CVE-2013-5787
CVE-2013-5789
CVE-2013-5790
CVE-2013-5797
CVE-2013-5801
CVE-2013-5802
CVE-2013-5803
CVE-2013-5804
CVE-2013-5809
CVE-2013-5812
CVE-2013-5814
CVE-2013-5817
CVE-2013-5818
CVE-2013-5819
CVE-2013-5820
CVE-2013-5823
CVE-2013-5824
CVE-2013-5825
CVE-2013-5829
CVE-2013-5830
CVE-2013-5831
CVE-2013-5832
CVE-2013-5840
CVE-2013-5842
CVE-2013-5843
CVE-2013-5848
CVE-2013-5849
CVE-2013-5850
Java for OS X 2013-005 and Mac OS X v10.6 Update 17
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6update17.dmg
Its SHA-1 digest is: 5dfe7eaebf9726352c97964da61d57fa28246c08
For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-005.dmg
Its SHA-1 digest is: ce78f9a916b91ec408c933bd0bde5973ca8a2dc4
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJSXYc6AAoJEPefwLHPlZEwD8EP/3aN1h4wIM/BjidF3ZY+PXf3
Lzgtb8yAxh03A+J3NJCd3BKmjINXIo9Wwt9aUTktEz4UefvpF+rIsgKSinotvQt0
TmtsYPItFgs83Lj2IFBpCLurM+O0fUhje+mvVzR/KA7kHvrtXYRC5w2plWh32Smm
D4Ejh8odeR0IU3OdWV5MJpcRoRpRySX16JOEJc76SIE0+sbOLHZ90rmzyPMB0S2u
jZRq8qY3DJS9C5De97gh8F/V76fV8Aiq6RwGPs9m+tJUCJe6XLEy8Wq/G3jlKXyr
+KrradRl9Bz5oTUnVDlN9odoOGZ/J4nq4xs0RyN08uETKcw6315+7UTP3B+hD8IM
1YyWeceCd8oHtWlR/02spwaku5ctxiUZpqXQ8DxDH3e8dONBfndfmKGUnywQSFd8
vCgZR0SQgSbhtD/UnNGW9VgJsxKgO4gi17aVD/B9LYmMztsSB+wPkg96uTR6J7yh
+ogJqYeOGsMvvQd8XY++ig1bhEsfzzauEWnq3G4WG8E+Fep+5RHZewxnhzakapqW
2z7byXHNXtIP2cxL//DG/x4ed+gAWzKxZyPDPSrltw162mkJk/6mTedtpead4LH8
Ooi4Cf1HMbC9gdRBdtGNWo7EN9kr9rpajuRWjqxT5uTLAgJusKk5UnSO2KJtromy
Los4PbyC//yRidZKynqx
=I3n5
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: January 27, 2014
Bugs: #404071, #421073, #433094, #438706, #451206, #455174,
#458444, #460360, #466212, #473830, #473980, #488210, #498148
ID: 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jdk <= 1.6.0.45 Vulnerable!
2 dev-java/oracle-jdk-bin < 1.7.0.51 >= 1.7.0.51 *
3 dev-java/sun-jre-bin <= 1.6.0.45 Vulnerable!
4 dev-java/oracle-jre-bin < 1.7.0.51 >= 1.7.0.51 *
5 app-emulation/emul-linux-x86-java
< 1.7.0.51 >= 1.7.0.51 *
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
5 affected packages
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below for
details.
Impact
======
An unauthenticated, remote attacker could exploit these vulnerabilities
to execute arbitrary code.
Furthermore, a local or remote attacker could exploit these
vulnerabilities to cause unspecified impact, possibly including remote
execution of arbitrary code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.7.0.51"
All Oracle JRE 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.7.0.51"
All users of the precompiled 32-bit Oracle JRE should upgrade to the
latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.7.0.51"
All Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one
of the newer Oracle packages like dev-java/oracle-jdk-bin or
dev-java/oracle-jre-bin or choose another alternative we provide; eg.
the IBM JDK/JRE or the open source IcedTea.
References
==========
[ 1 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 2 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 3 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 4 ] CVE-2012-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0498
[ 5 ] CVE-2012-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0499
[ 6 ] CVE-2012-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0500
[ 7 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 8 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 9 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 10 ] CVE-2012-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0504
[ 11 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 12 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 13 ] CVE-2012-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0507
[ 14 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 15 ] CVE-2012-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1531
[ 16 ] CVE-2012-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1532
[ 17 ] CVE-2012-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1533
[ 18 ] CVE-2012-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1541
[ 19 ] CVE-2012-1682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682
[ 20 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 21 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 22 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 23 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 24 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 25 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 26 ] CVE-2012-1721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721
[ 27 ] CVE-2012-1722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722
[ 28 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 29 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 30 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 31 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 32 ] CVE-2012-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136
[ 33 ] CVE-2012-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3143
[ 34 ] CVE-2012-3159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3159
[ 35 ] CVE-2012-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174
[ 36 ] CVE-2012-3213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3213
[ 37 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 38 ] CVE-2012-3342
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3342
[ 39 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 40 ] CVE-2012-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681
[ 41 ] CVE-2012-5067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5067
[ 42 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 43 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 44 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 45 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 46 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 47 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 48 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 49 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 50 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 51 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 52 ] CVE-2012-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5079
[ 53 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 54 ] CVE-2012-5083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5083
[ 55 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 56 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 57 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 58 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 59 ] CVE-2012-5088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5088
[ 60 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 61 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 62 ] CVE-2013-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0351
[ 63 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 64 ] CVE-2013-0402
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402
[ 65 ] CVE-2013-0409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0409
[ 66 ] CVE-2013-0419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0419
[ 67 ] CVE-2013-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422
[ 68 ] CVE-2013-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0423
[ 69 ] CVE-2013-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0430
[ 70 ] CVE-2013-0437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0437
[ 71 ] CVE-2013-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0438
[ 72 ] CVE-2013-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0445
[ 73 ] CVE-2013-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0446
[ 74 ] CVE-2013-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0448
[ 75 ] CVE-2013-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0449
[ 76 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 77 ] CVE-2013-1473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1473
[ 78 ] CVE-2013-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1479
[ 79 ] CVE-2013-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1481
[ 80 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 81 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 82 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 83 ] CVE-2013-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487
[ 84 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 85 ] CVE-2013-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491
[ 86 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 87 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 88 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 89 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 90 ] CVE-2013-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540
[ 91 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 92 ] CVE-2013-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558
[ 93 ] CVE-2013-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561
[ 94 ] CVE-2013-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563
[ 95 ] CVE-2013-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564
[ 96 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 97 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 98 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 99 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 100 ] CVE-2013-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394
[ 101 ] CVE-2013-2400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2400
[ 102 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 103 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 104 ] CVE-2013-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414
[ 105 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 106 ] CVE-2013-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416
[ 107 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 108 ] CVE-2013-2418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418
[ 109 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 110 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 111 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 112 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 113 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 114 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 115 ] CVE-2013-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425
[ 116 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 117 ] CVE-2013-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427
[ 118 ] CVE-2013-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428
[ 119 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 120 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 121 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 122 ] CVE-2013-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432
[ 123 ] CVE-2013-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433
[ 124 ] CVE-2013-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434
[ 125 ] CVE-2013-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435
[ 126 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 127 ] CVE-2013-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2437
[ 128 ] CVE-2013-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438
[ 129 ] CVE-2013-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439
[ 130 ] CVE-2013-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440
[ 131 ] CVE-2013-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2442
[ 132 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 133 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 134 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 135 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 136 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 137 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 138 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 139 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 140 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 141 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 142 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 143 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 144 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 145 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 146 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 147 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 148 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 149 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 150 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 151 ] CVE-2013-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2462
[ 152 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 153 ] CVE-2013-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2464
[ 154 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 155 ] CVE-2013-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2466
[ 156 ] CVE-2013-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2467
[ 157 ] CVE-2013-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2468
[ 158 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 159 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 160 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 161 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 162 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 163 ] CVE-2013-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3743
[ 164 ] CVE-2013-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3744
[ 165 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 166 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 167 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 168 ] CVE-2013-5775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5775
[ 169 ] CVE-2013-5776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5776
[ 170 ] CVE-2013-5777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5777
[ 171 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 172 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 173 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 174 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 175 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 176 ] CVE-2013-5787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5787
[ 177 ] CVE-2013-5788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5788
[ 178 ] CVE-2013-5789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5789
[ 179 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 180 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 181 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 182 ] CVE-2013-5801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5801
[ 183 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 184 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 185 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 186 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 187 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 188 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 189 ] CVE-2013-5810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5810
[ 190 ] CVE-2013-5812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5812
[ 191 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 192 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 193 ] CVE-2013-5818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5818
[ 194 ] CVE-2013-5819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5819
[ 195 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 196 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 197 ] CVE-2013-5824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5824
[ 198 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 199 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 200 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 201 ] CVE-2013-5831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5831
[ 202 ] CVE-2013-5832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5832
[ 203 ] CVE-2013-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5838
[ 204 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 205 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 206 ] CVE-2013-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5843
[ 207 ] CVE-2013-5844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5844
[ 208 ] CVE-2013-5846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5846
[ 209 ] CVE-2013-5848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5848
[ 210 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 211 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 212 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 213 ] CVE-2013-5852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5852
[ 214 ] CVE-2013-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5854
[ 215 ] CVE-2013-5870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870
[ 216 ] CVE-2013-5878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878
[ 217 ] CVE-2013-5887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887
[ 218 ] CVE-2013-5888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888
[ 219 ] CVE-2013-5889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889
[ 220 ] CVE-2013-5893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893
[ 221 ] CVE-2013-5895
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895
[ 222 ] CVE-2013-5896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896
[ 223 ] CVE-2013-5898
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898
[ 224 ] CVE-2013-5899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899
[ 225 ] CVE-2013-5902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902
[ 226 ] CVE-2013-5904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904
[ 227 ] CVE-2013-5905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905
[ 228 ] CVE-2013-5906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906
[ 229 ] CVE-2013-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907
[ 230 ] CVE-2013-5910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910
[ 231 ] CVE-2014-0368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368
[ 232 ] CVE-2014-0373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373
[ 233 ] CVE-2014-0375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375
[ 234 ] CVE-2014-0376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376
[ 235 ] CVE-2014-0382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382
[ 236 ] CVE-2014-0385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385
[ 237 ] CVE-2014-0387
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387
[ 238 ] CVE-2014-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403
[ 239 ] CVE-2014-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408
[ 240 ] CVE-2014-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410
[ 241 ] CVE-2014-0411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411
[ 242 ] CVE-2014-0415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415
[ 243 ] CVE-2014-0416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416
[ 244 ] CVE-2014-0417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417
[ 245 ] CVE-2014-0418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418
[ 246 ] CVE-2014-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422
[ 247 ] CVE-2014-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423
[ 248 ] CVE-2014-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424
[ 249 ] CVE-2014-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-30.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.6.0-ibm security update
Advisory ID: RHSA-2013:1508-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1508.html
Issue date: 2013-11-07
CVE Names: CVE-2013-3829 CVE-2013-4041 CVE-2013-5372
CVE-2013-5375 CVE-2013-5457 CVE-2013-5772
CVE-2013-5774 CVE-2013-5776 CVE-2013-5778
CVE-2013-5780 CVE-2013-5782 CVE-2013-5783
CVE-2013-5784 CVE-2013-5787 CVE-2013-5789
CVE-2013-5797 CVE-2013-5801 CVE-2013-5802
CVE-2013-5803 CVE-2013-5804 CVE-2013-5809
CVE-2013-5812 CVE-2013-5814 CVE-2013-5817
CVE-2013-5818 CVE-2013-5819 CVE-2013-5820
CVE-2013-5823 CVE-2013-5824 CVE-2013-5825
CVE-2013-5829 CVE-2013-5830 CVE-2013-5831
CVE-2013-5832 CVE-2013-5840 CVE-2013-5842
CVE-2013-5843 CVE-2013-5848 CVE-2013-5849
CVE-2013-5850 CVE-2013-5851
=====================================================================
1. Summary:
Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts page,
listed in the References section. (CVE-2013-3829, CVE-2013-4041,
CVE-2013-5372, CVE-2013-5375, CVE-2013-5457, CVE-2013-5772, CVE-2013-5774,
CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783,
CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5797, CVE-2013-5801,
CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812,
CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820,
CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830,
CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843,
CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)
All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 6 SR15 release. All running
instances of IBM Java must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
1018713 - CVE-2013-5803 OpenJDK: insufficient checks of KDC replies (JGSS, 8014341)
1018717 - CVE-2013-5772 OpenJDK: insufficient html escaping in jhat (jhat, 8011081)
1018720 - CVE-2013-5797 OpenJDK: insufficient escaping of window title string (Javadoc, 8016675)
1018727 - CVE-2013-5784 OpenJDK: insufficient InterfaceImplementor security checks (Scripting, 8017299)
1018750 - CVE-2013-5849 OpenJDK: insufficient DataFlavor security checks (AWT, 8012277)
1018785 - CVE-2013-5780 OpenJDK: key data leak via toString() methods (Libraries, 8011071)
1018831 - CVE-2013-5840 OpenJDK: getDeclaringClass() information leak (Libraries, 8014349)
1018972 - CVE-2013-5820 OpenJDK: insufficient security checks (JAXWS, 8017505)
1018977 - CVE-2013-5851 OpenJDK: XML stream factory finder information leak (JAXP, 8013502)
1018984 - CVE-2013-5778 OpenJDK: image conversion out of bounds read (2D, 8014102)
1019108 - CVE-2013-5782 OpenJDK: Incorrect awt_getPixelByte/awt_getPixelShort/awt_setPixelByte/awt_setPixelShort image raster checks (2D, 8014093)
1019110 - CVE-2013-5830 OpenJDK: checkPackageAccess missing security check (Libraries, 8017291)
1019113 - CVE-2013-5809 OpenJDK: JPEGImageReader and JPEGImageWriter missing band size checks (2D, 8013510)
1019115 - CVE-2013-5829 OpenJDK: Java2d Disposer security bypass (2D, 8017287)
1019117 - CVE-2013-5814 OpenJDK: RMIConnection stub missing permission check (CORBA, 8011157)
1019118 - CVE-2013-5817 OpenJDK: VersionHelper12 does not honor modifyThreadGroup restriction (JNDI, 8013739)
1019123 - CVE-2013-5842 OpenJDK: ObjectInputStream/ObjectOutputStream missing checks (Libraries, 8014987)
1019127 - CVE-2013-5850 OpenJDK: Missing CORBA security checks (Libraries, 8017196)
1019130 - CVE-2013-5802 OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425)
1019131 - CVE-2013-5804 OpenJDK: javac does not ignore certain ignorable characters (Javadoc, 8016653)
1019133 - CVE-2013-3829 OpenJDK: java.util.TimeZone does not restrict setting of default time zone (Libraries, 8001029)
1019137 - CVE-2013-5783 OpenJDK: JTable not properly performing certain access checks (Swing, 8013744)
1019139 - CVE-2013-5825 OpenJDK: XML parsing Denial of Service (JAXP, 8014530)
1019145 - CVE-2013-5823 OpenJDK: com.sun.org.apache.xml.internal.security.utils.UnsyncByteArrayOutputStream Denial of Service (Security, 8021290)
1019147 - CVE-2013-5774 OpenJDK: Inet6Address class IPv6 address processing errors (Libraries, 8015743)
1019691 - CVE-2013-5824 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019693 - CVE-2013-5787 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019697 - CVE-2013-5789 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019701 - CVE-2013-5843 Oracle JDK: unspecified vulnerability fixed in 7u45 (2D)
1019702 - CVE-2013-5832 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019706 - CVE-2013-5812 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019710 - CVE-2013-5801 Oracle JDK: unspecified vulnerability fixed in 7u45 (2D)
1019712 - CVE-2013-5776 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019713 - CVE-2013-5818 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019715 - CVE-2013-5819 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019716 - CVE-2013-5831 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1019720 - CVE-2013-5848 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment)
1027760 - CVE-2013-5457 IBM JDK: unspecified sandbox bypass (ORB)
1027764 - CVE-2013-4041 IBM JDK: unspecified sandbox bypass (JVM)
1027768 - CVE-2013-5375 IBM JDK: unspecified sandbox bypass (XML)
1027825 - CVE-2013-5372 IBM JDK: XML4J xml entity expansion excessive memory use (XML)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
x86_64:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
ppc:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.ppc64.rpm
java-1.6.0-ibm-accessibility-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.ppc64.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.ppc.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.ppc64.rpm
s390x:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.s390.rpm
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.s390x.rpm
java-1.6.0-ibm-accessibility-1.6.0.15.0-1jpp.1.el5_10.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.s390.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.s390.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.s390.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.s390x.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.s390.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.i386.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el5_10.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
x86_64:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
ppc64:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.ppc64.rpm
s390x:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.s390.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
x86_64:
java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.15.0-1jpp.1.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-3829.html
https://www.redhat.com/security/data/cve/CVE-2013-4041.html
https://www.redhat.com/security/data/cve/CVE-2013-5372.html
https://www.redhat.com/security/data/cve/CVE-2013-5375.html
https://www.redhat.com/security/data/cve/CVE-2013-5457.html
https://www.redhat.com/security/data/cve/CVE-2013-5772.html
https://www.redhat.com/security/data/cve/CVE-2013-5774.html
https://www.redhat.com/security/data/cve/CVE-2013-5776.html
https://www.redhat.com/security/data/cve/CVE-2013-5778.html
https://www.redhat.com/security/data/cve/CVE-2013-5780.html
https://www.redhat.com/security/data/cve/CVE-2013-5782.html
https://www.redhat.com/security/data/cve/CVE-2013-5783.html
https://www.redhat.com/security/data/cve/CVE-2013-5784.html
https://www.redhat.com/security/data/cve/CVE-2013-5787.html
https://www.redhat.com/security/data/cve/CVE-2013-5789.html
https://www.redhat.com/security/data/cve/CVE-2013-5797.html
https://www.redhat.com/security/data/cve/CVE-2013-5801.html
https://www.redhat.com/security/data/cve/CVE-2013-5802.html
https://www.redhat.com/security/data/cve/CVE-2013-5803.html
https://www.redhat.com/security/data/cve/CVE-2013-5804.html
https://www.redhat.com/security/data/cve/CVE-2013-5809.html
https://www.redhat.com/security/data/cve/CVE-2013-5812.html
https://www.redhat.com/security/data/cve/CVE-2013-5814.html
https://www.redhat.com/security/data/cve/CVE-2013-5817.html
https://www.redhat.com/security/data/cve/CVE-2013-5818.html
https://www.redhat.com/security/data/cve/CVE-2013-5819.html
https://www.redhat.com/security/data/cve/CVE-2013-5820.html
https://www.redhat.com/security/data/cve/CVE-2013-5823.html
https://www.redhat.com/security/data/cve/CVE-2013-5824.html
https://www.redhat.com/security/data/cve/CVE-2013-5825.html
https://www.redhat.com/security/data/cve/CVE-2013-5829.html
https://www.redhat.com/security/data/cve/CVE-2013-5830.html
https://www.redhat.com/security/data/cve/CVE-2013-5831.html
https://www.redhat.com/security/data/cve/CVE-2013-5832.html
https://www.redhat.com/security/data/cve/CVE-2013-5840.html
https://www.redhat.com/security/data/cve/CVE-2013-5842.html
https://www.redhat.com/security/data/cve/CVE-2013-5843.html
https://www.redhat.com/security/data/cve/CVE-2013-5848.html
https://www.redhat.com/security/data/cve/CVE-2013-5849.html
https://www.redhat.com/security/data/cve/CVE-2013-5850.html
https://www.redhat.com/security/data/cve/CVE-2013-5851.html
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSe8jXXlSAg2UNWIIRAlasAKCF/FTTf0mHlJWUTRoqX/RZHDdHZwCfTn5o
l4arnSvYVuv2Iga1N14OzOI=
=3iS4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04031205
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04031205
Version: 1
HPSBUX02943 rev.1 - HP-UX Running Java6, Remote Unauthorized Access,
Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-12-04
Last Updated: 2013-12-04
Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in the Java Runtime
Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other exploits.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.20 and
earlier.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-3829 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-4002 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1
CVE-2013-5772 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6
CVE-2013-5774 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-5776 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-5778 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-5780 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-5782 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5783 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-5784 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2013-5787 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5789 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5790 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-5797 (AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5
CVE-2013-5801 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-5802 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-5803 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2013-5804 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-5809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5812 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4
CVE-2013-5814 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5817 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5818 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-5819 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-5820 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-5823 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-5824 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5825 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-5829 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5830 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5831 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-5840 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-5842 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5843 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-5848 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-5849 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-5852 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location: http://www.hp.com/java
OS Version
Release Version
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.21 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0 update to Java v6.0.21 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
===========
Jdk60.JDK60-COM
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.21.00 or subsequent
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.21.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 4 December 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners |
|
var-201202-0070
|
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect availability via unknown vectors.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Java Runtime Environment' sub-component.
This vulnerability affects the following supported versions:
7 Update 2, 6 Update 30, 5.0 Update 33. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-04-03-1 Java for OS X 2012-001 and
Java for Mac OS X 10.6 Update 7
Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7 is now
available and addresses the following:
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Multiple vulnerabilities in Java 1.6.0_29
Description: Multiple vulnerabilities exist in Java 1.6.0_29, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues are addressed by updating to Java version 1.6.0_31.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2011-3563
CVE-2011-5035
CVE-2012-0497
CVE-2012-0498
CVE-2012-0499
CVE-2012-0500
CVE-2012-0501
CVE-2012-0502
CVE-2012-0503
CVE-2012-0505
CVE-2012-0506
CVE-2012-0507
Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7
may be obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.dmg
Its SHA-1 digest is: f76807153bc0ca253e4a466a2a8c0abf1e180667
For OS X Lion systems
The download file is named: JavaForOSX.dmg
Its SHA-1 digest is: 176ac1f8e79b4245301e84b616de5105ccd13e16
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJPezVqAAoJEGnF2JsdZQee7gIIALa7b5hVTKL7kOXF7EYT6wjx
VnAmxoQbjEwpBkdzPzqqhCQ303/iBdLdHr2O/yxdaX0tFuB+5+4iInPU2t6O+PNh
7iJ3rhQszzIj5q/qGDXyzIQEjurNfvrEKAxQ3T7uj1At+n/9YVBaw8p6i+HopbRc
Fo6Jrxy0Qf/MyeGO4lqxht2Aq8omh+pEBNP68EglqrJp/CjZTYGaFAHVGvnm8/gA
wjcpIRQBacXcBCJ3K8pZhuQvXhm+GVLWYgc2KGsZ/l7jbQX5Bi67b7CFf7lBHlyd
V7ss6N/0T/O3nspdhg+jhnvcaia1Ow3GikC/707NNkM8Dm3lm0DFVMBBgpNvPcU=
=Pf96
-----END PGP SIGNATURE-----
. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets.
CVE-2011-3377
The Iced Tea browser plugin included in the openjdk-6 package
does not properly enforce the Same Origin Policy on web content
served under a domain name which has a common suffix with the
required domain name.
CVE-2012-0505
The Java serialization code leaked references to serialization
exceptions, possibly leaking critical objects to untrusted
code in Java applets and applications.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 6b24-1.11.1-1. ============================================================================
Ubuntu Security Notice USN-1373-2
March 01, 2012
openjdk-6b18 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
Multiple vulnerabilities in OpenJDK 6 for the ARM architecture have
been fixed.
Software Description:
- openjdk-6b18: Open Source Java implementation
Details:
USN 1373-1 fixed vulnerabilities in OpenJDK 6 in Ubuntu 10.04 LTS,
Ubuntu 10.10 and Ubuntu 11.04 for all architectures except for ARM
(armel). This provides the corresponding OpenJDK 6 update for use
with the ARM (armel) architecture in Ubuntu 10.04 LTS, Ubuntu 10.10
and Ubuntu 11.04. A remote attacker could
cause a denial of service by sending special requests that trigger
hash collisions predictably. This may be increased
by adjusting the sun.net.httpserver.maxReqHeaders property. (CVE-2012-0497)
It was discovered that an off-by-one error exists in the Java ZIP
file processing code. An attacker could us this to cause a denial of
service through a maliciously crafted ZIP file. (CVE-2012-0507)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
icedtea-6-jre-cacao 6b18-1.8.13-0ubuntu1~11.04.1
icedtea-6-jre-jamvm 6b18-1.8.13-0ubuntu1~11.04.1
openjdk-6-jre 6b18-1.8.13-0ubuntu1~11.04.1
openjdk-6-jre-headless 6b18-1.8.13-0ubuntu1~11.04.1
openjdk-6-jre-zero 6b18-1.8.13-0ubuntu1~11.04.1
Ubuntu 10.10:
icedtea-6-jre-cacao 6b18-1.8.13-0ubuntu1~10.10.1
openjdk-6-jre 6b18-1.8.13-0ubuntu1~10.10.1
openjdk-6-jre-headless 6b18-1.8.13-0ubuntu1~10.10.1
openjdk-6-jre-zero 6b18-1.8.13-0ubuntu1~10.10.1
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b18-1.8.13-0ubuntu1~10.04.1
openjdk-6-jre 6b18-1.8.13-0ubuntu1~10.04.1
openjdk-6-jre-headless 6b18-1.8.13-0ubuntu1~10.04.1
openjdk-6-jre-zero 6b18-1.8.13-0ubuntu1~10.04.1
After a standard system update you need to restart any Java applications
or applets to make all the necessary changes.
Release Date: 2012-04-02
Last Updated: 2012-04-02
------------------------------------------------------------------------------
Potential Security Impact: Remote unauthorized access, disclosure of information, and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running HP JDK and JRE 5.0.24 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-3389 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-3521 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3545 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3547 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-3548 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3549 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3552 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6
CVE-2011-3554 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3556 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-3557 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2011-3560 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2011-3563 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4
CVE-2012-0498 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-0499 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-0501 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-0502 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4
CVE-2012-0503 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2012-0505 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2012-0506 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2012-0507 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrades to resolve these vulnerabilities.
The upgrades are available from the following location
http://www.hp.com/go/java
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v5.0.25 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v5.0.24 and earlier, update to Java v5.0.25 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk15.JDK15
Jdk15.JDK15-COM
Jdk15.JDK15-DEMO
Jdk15.JDK15-IPF32
Jdk15.JDK15-IPF64
Jdk15.JDK15-COM
Jdk15.JDK15-DEMO
Jdk15.JDK15-PA20
Jdk15.JDK15-PA20W
Jre15.JRE15
Jre15.JRE15-COM
Jre15.JRE15-IPF32
Jre15.JRE15-IPF32-HS
Jre15.JRE15-IPF64
Jre15.JRE15-IPF64-HS
Jre15.JRE15-PA20
Jre15.JRE15-PA20-HS
Jre15.JRE15-PA20W
Jre15.JRE15-PA20W-HS
action: install revision 1.5.0.25.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 April 2012 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: January 27, 2014
Bugs: #404071, #421073, #433094, #438706, #451206, #455174,
#458444, #460360, #466212, #473830, #473980, #488210, #498148
ID: 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jdk <= 1.6.0.45 Vulnerable!
2 dev-java/oracle-jdk-bin < 1.7.0.51 >= 1.7.0.51 *
3 dev-java/sun-jre-bin <= 1.6.0.45 Vulnerable!
4 dev-java/oracle-jre-bin < 1.7.0.51 >= 1.7.0.51 *
5 app-emulation/emul-linux-x86-java
< 1.7.0.51 >= 1.7.0.51 *
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
5 affected packages
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below for
details.
Impact
======
An unauthenticated, remote attacker could exploit these vulnerabilities
to execute arbitrary code.
Furthermore, a local or remote attacker could exploit these
vulnerabilities to cause unspecified impact, possibly including remote
execution of arbitrary code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.7.0.51"
All Oracle JRE 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.7.0.51"
All users of the precompiled 32-bit Oracle JRE should upgrade to the
latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.7.0.51"
All Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one
of the newer Oracle packages like dev-java/oracle-jdk-bin or
dev-java/oracle-jre-bin or choose another alternative we provide; eg.
the IBM JDK/JRE or the open source IcedTea.
NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
References
==========
[ 1 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 2 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 3 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 4 ] CVE-2012-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0498
[ 5 ] CVE-2012-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0499
[ 6 ] CVE-2012-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0500
[ 7 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 8 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 9 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 10 ] CVE-2012-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0504
[ 11 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 12 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 13 ] CVE-2012-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0507
[ 14 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 15 ] CVE-2012-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1531
[ 16 ] CVE-2012-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1532
[ 17 ] CVE-2012-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1533
[ 18 ] CVE-2012-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1541
[ 19 ] CVE-2012-1682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682
[ 20 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 21 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 22 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 23 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 24 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 25 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 26 ] CVE-2012-1721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721
[ 27 ] CVE-2012-1722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722
[ 28 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 29 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 30 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 31 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 32 ] CVE-2012-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136
[ 33 ] CVE-2012-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3143
[ 34 ] CVE-2012-3159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3159
[ 35 ] CVE-2012-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174
[ 36 ] CVE-2012-3213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3213
[ 37 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 38 ] CVE-2012-3342
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3342
[ 39 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 40 ] CVE-2012-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681
[ 41 ] CVE-2012-5067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5067
[ 42 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 43 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 44 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 45 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 46 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 47 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 48 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 49 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 50 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 51 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 52 ] CVE-2012-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5079
[ 53 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 54 ] CVE-2012-5083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5083
[ 55 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 56 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 57 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 58 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 59 ] CVE-2012-5088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5088
[ 60 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 61 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 62 ] CVE-2013-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0351
[ 63 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 64 ] CVE-2013-0402
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402
[ 65 ] CVE-2013-0409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0409
[ 66 ] CVE-2013-0419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0419
[ 67 ] CVE-2013-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422
[ 68 ] CVE-2013-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0423
[ 69 ] CVE-2013-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0430
[ 70 ] CVE-2013-0437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0437
[ 71 ] CVE-2013-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0438
[ 72 ] CVE-2013-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0445
[ 73 ] CVE-2013-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0446
[ 74 ] CVE-2013-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0448
[ 75 ] CVE-2013-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0449
[ 76 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 77 ] CVE-2013-1473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1473
[ 78 ] CVE-2013-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1479
[ 79 ] CVE-2013-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1481
[ 80 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 81 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 82 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 83 ] CVE-2013-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487
[ 84 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 85 ] CVE-2013-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491
[ 86 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 87 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 88 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 89 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 90 ] CVE-2013-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540
[ 91 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 92 ] CVE-2013-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558
[ 93 ] CVE-2013-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561
[ 94 ] CVE-2013-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563
[ 95 ] CVE-2013-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564
[ 96 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 97 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 98 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 99 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 100 ] CVE-2013-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394
[ 101 ] CVE-2013-2400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2400
[ 102 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 103 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 104 ] CVE-2013-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414
[ 105 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 106 ] CVE-2013-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416
[ 107 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 108 ] CVE-2013-2418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418
[ 109 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 110 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 111 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 112 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 113 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 114 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 115 ] CVE-2013-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425
[ 116 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 117 ] CVE-2013-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427
[ 118 ] CVE-2013-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428
[ 119 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 120 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 121 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 122 ] CVE-2013-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432
[ 123 ] CVE-2013-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433
[ 124 ] CVE-2013-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434
[ 125 ] CVE-2013-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435
[ 126 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 127 ] CVE-2013-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2437
[ 128 ] CVE-2013-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438
[ 129 ] CVE-2013-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439
[ 130 ] CVE-2013-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440
[ 131 ] CVE-2013-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2442
[ 132 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 133 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 134 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 135 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 136 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 137 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 138 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 139 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 140 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 141 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 142 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 143 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 144 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 145 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 146 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 147 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 148 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 149 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 150 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 151 ] CVE-2013-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2462
[ 152 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 153 ] CVE-2013-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2464
[ 154 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 155 ] CVE-2013-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2466
[ 156 ] CVE-2013-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2467
[ 157 ] CVE-2013-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2468
[ 158 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 159 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 160 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 161 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 162 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 163 ] CVE-2013-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3743
[ 164 ] CVE-2013-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3744
[ 165 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 166 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 167 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 168 ] CVE-2013-5775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5775
[ 169 ] CVE-2013-5776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5776
[ 170 ] CVE-2013-5777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5777
[ 171 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 172 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 173 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 174 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 175 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 176 ] CVE-2013-5787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5787
[ 177 ] CVE-2013-5788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5788
[ 178 ] CVE-2013-5789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5789
[ 179 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 180 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 181 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 182 ] CVE-2013-5801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5801
[ 183 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 184 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 185 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 186 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 187 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 188 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 189 ] CVE-2013-5810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5810
[ 190 ] CVE-2013-5812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5812
[ 191 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 192 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 193 ] CVE-2013-5818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5818
[ 194 ] CVE-2013-5819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5819
[ 195 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 196 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 197 ] CVE-2013-5824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5824
[ 198 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 199 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 200 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 201 ] CVE-2013-5831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5831
[ 202 ] CVE-2013-5832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5832
[ 203 ] CVE-2013-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5838
[ 204 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 205 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 206 ] CVE-2013-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5843
[ 207 ] CVE-2013-5844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5844
[ 208 ] CVE-2013-5846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5846
[ 209 ] CVE-2013-5848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5848
[ 210 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 211 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 212 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 213 ] CVE-2013-5852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5852
[ 214 ] CVE-2013-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5854
[ 215 ] CVE-2013-5870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870
[ 216 ] CVE-2013-5878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878
[ 217 ] CVE-2013-5887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887
[ 218 ] CVE-2013-5888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888
[ 219 ] CVE-2013-5889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889
[ 220 ] CVE-2013-5893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893
[ 221 ] CVE-2013-5895
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895
[ 222 ] CVE-2013-5896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896
[ 223 ] CVE-2013-5898
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898
[ 224 ] CVE-2013-5899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899
[ 225 ] CVE-2013-5902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902
[ 226 ] CVE-2013-5904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904
[ 227 ] CVE-2013-5905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905
[ 228 ] CVE-2013-5906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906
[ 229 ] CVE-2013-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907
[ 230 ] CVE-2013-5910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910
[ 231 ] CVE-2014-0368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368
[ 232 ] CVE-2014-0373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373
[ 233 ] CVE-2014-0375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375
[ 234 ] CVE-2014-0376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376
[ 235 ] CVE-2014-0382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382
[ 236 ] CVE-2014-0385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385
[ 237 ] CVE-2014-0387
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387
[ 238 ] CVE-2014-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403
[ 239 ] CVE-2014-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408
[ 240 ] CVE-2014-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410
[ 241 ] CVE-2014-0411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411
[ 242 ] CVE-2014-0415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415
[ 243 ] CVE-2014-0416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416
[ 244 ] CVE-2014-0417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417
[ 245 ] CVE-2014-0418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418
[ 246 ] CVE-2014-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422
[ 247 ] CVE-2014-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423
[ 248 ] CVE-2014-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424
[ 249 ] CVE-2014-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-30.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch page, listed in the References section. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.6.0-openjdk security update
Advisory ID: RHSA-2012:0322-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0322.html
Issue date: 2012-02-21
CVE Names: CVE-2011-3563 CVE-2011-3571 CVE-2011-5035
CVE-2012-0497 CVE-2012-0501 CVE-2012-0502
CVE-2012-0503 CVE-2012-0505 CVE-2012-0506
=====================================================================
1. Summary:
Updated java-1.6.0-openjdk packages that fix several security issues are
now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
3.
It was discovered that Java2D did not properly check graphics rendering
objects before passing them to the native renderer. Malicious input, or an
untrusted Java application or applet could use this flaw to crash the Java
Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497)
It was discovered that the exception thrown on deserialization failure did
not always contain a proper identification of the cause of the failure. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2012-0505)
The AtomicReferenceArray class implementation did not properly check if
the array was of the expected Object[] type. A malicious Java application
or applet could use this flaw to bypass Java sandbox restrictions.
(CVE-2011-3571)
It was discovered that the use of TimeZone.setDefault() was not restricted
by the SecurityManager, allowing an untrusted Java application or applet to
set a new default time zone, and hence bypass Java sandbox restrictions.
(CVE-2012-0503)
The HttpServer class did not limit the number of headers read from HTTP
requests. A remote attacker could use this flaw to make an application
using HttpServer use an excessive amount of CPU time via a
specially-crafted request. This update introduces a header count limit
controlled using the sun.net.httpserver.maxReqHeaders property. The default
value is 200. (CVE-2011-5035)
The Java Sound component did not properly check buffer boundaries.
Malicious input, or an untrusted Java application or applet could use this
flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion
of its memory. (CVE-2011-3563)
A flaw was found in the AWT KeyboardFocusManager that could allow an
untrusted Java application or applet to acquire keyboard focus and possibly
steal sensitive information. (CVE-2012-0502)
It was discovered that the CORBA (Common Object Request Broker
Architecture) implementation in Java did not properly protect repository
identifiers on certain CORBA objects. This could have been used to modify
immutable object data. (CVE-2012-0506)
An off-by-one flaw, causing a stack overflow, was found in the unpacker for
ZIP files. A specially-crafted ZIP archive could cause the Java Virtual
Machine (JVM) to crash when opened. (CVE-2012-0501)
This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to
the NEWS file, linked to in the References, for further information.
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
788606 - CVE-2011-5035 OpenJDK: HttpServer no header count limit (Lightweight HTTP Server, 7126960)
788624 - CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283)
788976 - CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687)
788994 - CVE-2011-3571 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299)
789295 - CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367)
789297 - CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683)
789299 - CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700)
789300 - CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704)
789301 - CVE-2012-0497 OpenJDK: insufficient checking of the graphics rendering object (2D, 7112642)
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.src.rpm
i386:
java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.src.rpm
i386:
java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-3563.html
https://www.redhat.com/security/data/cve/CVE-2011-3571.html
https://www.redhat.com/security/data/cve/CVE-2011-5035.html
https://www.redhat.com/security/data/cve/CVE-2012-0497.html
https://www.redhat.com/security/data/cve/CVE-2012-0501.html
https://www.redhat.com/security/data/cve/CVE-2012-0502.html
https://www.redhat.com/security/data/cve/CVE-2012-0503.html
https://www.redhat.com/security/data/cve/CVE-2012-0505.html
https://www.redhat.com/security/data/cve/CVE-2012-0506.html
https://access.redhat.com/security/updates/classification/#important
http://icedtea.classpath.org/hg/release/icedtea6-1.10/file/icedtea6-1.10.6/NEWS
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPRBvTXlSAg2UNWIIRArkfAJ9B74k5cUjTIZGepTvbu+3kEcMpIgCgo2FR
eIi8N5jfo4lIBLPu4EKFpVo=
=ChsF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
|
|
var-201904-0985
|
SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). SQLite Is SQL An injection vulnerability exists.Service operation interruption (DoS) There is a possibility of being put into a state. SQLite is an open source embedded relational database management system based on C language developed by American D.Richard Hipp software developer. The system has the characteristics of independence, isolation and cross-platform. A security vulnerability exists in SQLite version 3.25.2. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements.
Alternatively, on your watch, select "My Watch > General > About". =========================================================================
Ubuntu Security Notice USN-4019-1
June 19, 2019
sqlite3 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in SQLite.
Software Description:
- sqlite3: C library that implements an SQL database engine
Details:
It was discovered that SQLite incorrectly handled certain SQL files.
An attacker could possibly use this issue to execute arbitrary code
or cause a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-2518, CVE-2017-2520)
It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20505)
It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and
Ubuntu 18.10. (CVE-2018-20346, CVE-2018-20506)
It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to access sensitive information.
(CVE-2019-8457)
It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to access sensitive information.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10.
(CVE-2019-9936)
It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS
and Ubuntu 18.10. (CVE-2019-9937)
It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2016-6153)
It was discovered that SQLite incorrectly handled certain databases.
An attacker could possibly use this issue to access sensitive information.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-10989)
It was discovered that SQLite incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-13685)
It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to execute arbitrary code or
cause a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2017-2519)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
libsqlite3-0 3.27.2-2ubuntu0.1
sqlite3 3.27.2-2ubuntu0.1
Ubuntu 18.10:
libsqlite3-0 3.24.0-1ubuntu0.1
sqlite3 3.24.0-1ubuntu0.1
Ubuntu 18.04 LTS:
libsqlite3-0 3.22.0-1ubuntu0.1
sqlite3 3.22.0-1ubuntu0.1
Ubuntu 16.04 LTS:
libsqlite3-0 3.11.0-1ubuntu1.2
sqlite3 3.11.0-1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4019-1
CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-2518,
CVE-2017-2519, CVE-2017-2520, CVE-2018-20346, CVE-2018-20505,
CVE-2018-20506, CVE-2019-8457, CVE-2019-9936, CVE-2019-9937
Package Information:
https://launchpad.net/ubuntu/+source/sqlite3/3.27.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.24.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.22.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.11.0-1ubuntu1.2
.
CVE-2018-4467: Martim Carbone, David Vernet, Sam Scalise, and Fred
Jacobs of the Virtual Machine Monitor Group of VMware, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-1-22-1 iOS 12.1.3
iOS 12.1.3 is now available and addresses the following:
AppleKeyStore
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A memory corruption issue was addressed with improved
validation.
CVE-2019-6235: Brandon Azad
Bluetooth
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-6200: an anonymous researcher
Core Media
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-6202: Fluoroacetate working with Trend Micro's Zero Day
Initiative
CVE-2019-6221: Fluoroacetate working with Trend Micro's Zero Day
Initiative
CoreAnimation
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-6231: Zhuo Liang of Qihoo 360 Nirvan Team
CoreAnimation
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to break out of its
sandbox
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-6230: Proteas, Shrek_wzw and Zhuo Liang of Qihoo 360 Nirvan
Team
FaceTime
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A remote attacker may be able to initiate a FaceTime call
causing arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2019-6224: Natalie Silvanovich of Google Project Zero
IOKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to break out of its
sandbox
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2019-6214: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved
validation.
CVE-2019-6225: Brandon Azad of Google Project Zero, Qixun Zhao of
Qihoo 360 Vulcan Team
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-6210: Ned Williamson of Google
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may cause unexpected changes in
memory shared between processes
Description: A memory corruption issue was addressed with improved
lock state checking.
CVE-2019-6205: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2019-6213: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to determine kernel
memory layout
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2019-6209: Brandon Azad of Google Project Zero
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may cause unexpected changes in
memory shared between processes
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-6208: Jann Horn of Google Project Zero
Keyboard
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Password autofill may fill in passwords after they were
manually cleared
Description: An issue existed with autofill resuming after it was
canceled. The issue was addressed with improved state management.
CVE-2019-6206: Sergey Pershenkov
libxpc
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-6218: Ian Beer of Google Project Zero
Natural Language Processing
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted message may lead to a denial
of service
Description: A denial of service issue was addressed with improved
validation.
CVE-2019-6219: Authier Thomas
Safari Reader
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: A cross-site scripting issue existed in Safari. This
issue was addressed with improved URL validation.
CVE-2019-6228: Ryan Pickren (ryanpickren.com)
SQLite
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: Multiple memory corruption issues were addressed with
improved input validation.
CVE-2018-20346: Tencent Blade Team
CVE-2018-20505: Tencent Blade Team
CVE-2018-20506: Tencent Blade Team
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-6227: Qixun Zhao of Qihoo 360 Vulcan Team
CVE-2019-6233: G. Geshev from MWR Labs working with Trend Micro's
Zero Day Initiative
CVE-2019-6234: G. Geshev from MWR Labs working with Trend Micro's
Zero Day Initiative
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved validation.
CVE-2019-6229: Ryan Pickren (ryanpickren.com)
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2019-6215: Lokihardt of Google Project Zero
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6212: an anonymous researcher, Wen Xu of SSLab at Georgia
Tech
CVE-2019-6216: Fluoroacetate working with Trend Micro's Zero Day
Initiative
CVE-2019-6217: Fluoroacetate working with Trend Micro's Zero Day
Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan
Team
CVE-2019-6226: Apple
WebRTC
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2019-6211: Georgi Geshev (@munmap), Fabi Beterke (@pwnfl4k3s),
and Rob Miller (@trotmaster99) of MWR Labs (@mwrlabs) working with
Trend Micro's Zero Day Initiative
Additional recognition
mDNSResponder
We would like to acknowledge Fatemah Alharbi of University of
California, Riverside (UCR) and Taibah University (TU), Feng Qian of
University of Minnesota - Twin City, Jie Chang of LinkSure Network,
Nael Abu-Ghazaleh of University of California, Riverside (UCR),
Yuchen Zhou of Northeastern University, and Zhiyun Qian of University
of California, Riverside (UCR) for their assistance.
Safari Reader
We would like to acknowledge Ryan Pickren (ryanpickren.com) for their
assistance.
WebKit
We would like to acknowledge James Lee (@Windowsrcer) of Kryptos
Logic for their assistance.
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 12.1.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlxHSSwpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3GA0RAA
l3Yft6CRTyGtLyqIanBFP4sMtaxlIP44Y0+gPIf59DhZ7bzuy3s+cjnUJAxrqBC+
NAqrNur5x8OVBIS7T65njvccD7e7uGWBZfeEbMdplT5aK3AvRuW7MyXEo3nZu3dx
gMRsubjQmwOnMB3Taxj0a6y2jvLU9DA7IfVyKb7ReCz3wv5KPb4BxLvbHwaMrbsJ
SBETrGYMn4awTSmUs/IQTDECOzRLyicQnY44afDL/K9n/oB59VQm5ZUPDj9ofeQN
UQsD7XVH19eI99N+uNQ+07GCqQ6++qe+kGVi2RR7HERt3wd4mnV895f6UvhlUjlU
K1tY68ZuDNPZ54GJfniFI0OCYfcd5rYsPTnOt11heFnWfG+nnm2r+3BEh60RW5lW
ONeyQ3ScubgMV2Teo3G0tWf9BGvKAI+qXbFuzkAMAucB+f7Oj06WDGhYPEAQZ8KR
xLSb6nyfihQA6Bz4KbfppKC7I2GuyF6rl5iz+VBPHId7yaF0jxjEiJEF7RbLhbeg
k7x8vJrKLR7hAs4AWCq69ZQ6VvmKLdgSNNCcbJIQNPCYtGabOP7xl4piDw4b46wq
/LR6UNrYdf/U3hljPfKIBn+0e1EITcKHfUu85MyHftanF1JFYNp03eFJT5ouyMRt
LD5C8YOX6VcEwCQqUpKmJD9wWwUehRhEiEffGkR+xSY=Jb8S
-----END PGP SIGNATURE-----
|