Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > June 2005 > Three Red Hat Security Advisories: 1. RHSA-2005:474-01 - bzip2 security update 2. RHSA-2005:512-01 - mc security update 3. RHSA-2005:518-01 - gaim security update

June 2005

Three Red Hat Security Advisories: 1. RHSA-2005:474-01 - bzip2 security update 2. RHSA-2005:512-01 - mc security update 3. RHSA-2005:518-01 - gaim security update

ID: 00496
Ref: 457/2005
Date: 17 June 2005:14:47:53
Version: 1
Title: Three Red Hat Security Advisories: 1. RHSA-2005:474-01 - bzip2 security update 2. RHSA-2005:512-01 - mc security update 3. RHSA-2005:518-01 - gaim security update
Abstract:
Vendors affected: Red Hat
Operating systems affected: Red Hat
Applications affected: Red Hat
Title
=====

Three Red Hat Security Advisories:

1. RHSA-2005:474-01 - bzip2 security update

2. RHSA-2005:512-01 - mc security update

3. RHSA-2005:518-01 - gaim security update


Detail
======

1. A bug was found in the way bzgrep processes file names. If a user can be
tricked into running bzgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running bzgrep. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-0758 to this issue.

2. Several denial of service bugs were found in Midnight Commander. These bugs
could cause Midnight Commander to hang or crash if a victim opens a
carefully crafted file. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2004-1009, CAN-2004-1090,
CAN-2004-1091, CAN-2004-1093 and CAN-2004-1174 to these issues.

3. Jacopo Ottaviani discovered a bug in the way Gaim handles Yahoo! Messenger
file transfers. It is possible for a malicious user to send a specially
crafted file transfer request that causes Gaim to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-1269 to this issue.


1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Low: bzip2 security update
Advisory ID: RHSA-2005:474-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-474.html
Issue date: 2005-06-16
Updated on: 2005-06-16
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0758 CAN-2005-0953 CAN-2005-1260
- - ---------------------------------------------------------------------

1. Summary:

Updated bzip2 packages that fix multiple issues are now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Bzip2 is a data compressor.

A bug was found in the way bzgrep processes file names. If a user can be
tricked into running bzgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running bzgrep. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-0758 to this issue.

A bug was found in the way bzip2 modifies file permissions during
decompression. If an attacker has write access to the directory into which
bzip2 is decompressing files, it is possible for them to modify permissions
on files owned by the user running bzip2 (CAN-2005-0953).

A bug was found in the way bzip2 decompresses files. It is possible for an
attacker to create a specially crafted bzip2 file which will cause bzip2 to
cause a denial of service (by filling disk space) if decompressed by a
victim (CAN-2005-1260).

Users of Bzip2 should upgrade to these updated packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

155742 - CAN-2005-0953 bzip2 race condition
157548 - CAN-2005-1260 bzip2 decompression bomb (DoS)
159816 - CAN-2005-0758 bzgrep has security issue in sed usage


6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

i386:
1c0626bc05764ace3f35b370c871f82a bzip2-1.0.1-4.EL2.1.i386.rpm
3becb343198896560698474b9ce06eed bzip2-devel-1.0.1-4.EL2.1.i386.rpm
793e7e2eafdf9290f869776e465f0922 bzip2-libs-1.0.1-4.EL2.1.i386.rpm

ia64:
9251923eb2a525c4edae8db9292d1865 bzip2-1.0.1-4.EL2.1.ia64.rpm
385e4b274f4eccec2dae40406f4411ed bzip2-devel-1.0.1-4.EL2.1.ia64.rpm
4feb401951ddc05a68c9de17671e2311 bzip2-libs-1.0.1-4.EL2.1.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

ia64:
9251923eb2a525c4edae8db9292d1865 bzip2-1.0.1-4.EL2.1.ia64.rpm
385e4b274f4eccec2dae40406f4411ed bzip2-devel-1.0.1-4.EL2.1.ia64.rpm
4feb401951ddc05a68c9de17671e2311 bzip2-libs-1.0.1-4.EL2.1.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

i386:
1c0626bc05764ace3f35b370c871f82a bzip2-1.0.1-4.EL2.1.i386.rpm
3becb343198896560698474b9ce06eed bzip2-devel-1.0.1-4.EL2.1.i386.rpm
793e7e2eafdf9290f869776e465f0922 bzip2-libs-1.0.1-4.EL2.1.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/bzip2-1.0.1-4.EL2.1.src.rpm
15cce1e7cda0c3683de8571c732f992a bzip2-1.0.1-4.EL2.1.src.rpm

i386:
1c0626bc05764ace3f35b370c871f82a bzip2-1.0.1-4.EL2.1.i386.rpm
3becb343198896560698474b9ce06eed bzip2-devel-1.0.1-4.EL2.1.i386.rpm
793e7e2eafdf9290f869776e465f0922 bzip2-libs-1.0.1-4.EL2.1.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

ia64:
090b5ed939e2f48c51915eb925f96272 bzip2-1.0.2-11.EL3.4.ia64.rpm
60ac531bf93510d4452676c7412f45b4 bzip2-devel-1.0.2-11.EL3.4.ia64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
2f0634a4f0c00b853d8ac423a4cc7421 bzip2-libs-1.0.2-11.EL3.4.ia64.rpm

ppc:
9f4561be52e588f06a8a38756b695fe7 bzip2-1.0.2-11.EL3.4.ppc.rpm
13fdc5b3f50f57afdc91548305df824a bzip2-devel-1.0.2-11.EL3.4.ppc.rpm
b8b31503dd33bb1b2b96c382fc86818b bzip2-libs-1.0.2-11.EL3.4.ppc.rpm
29ec39f91ae7fc800e9c1dee57e0ad96 bzip2-libs-1.0.2-11.EL3.4.ppc64.rpm

s390:
396f50fe9c7802b4699893b36463fc14 bzip2-1.0.2-11.EL3.4.s390.rpm
826a420199a7644ec1474170331d4160 bzip2-devel-1.0.2-11.EL3.4.s390.rpm
be3865bf78e76449b1fc091a72cf3e41 bzip2-libs-1.0.2-11.EL3.4.s390.rpm

s390x:
e58bda6c70b90b23384c0e46689237cd bzip2-1.0.2-11.EL3.4.s390x.rpm
658b7beaabcefd6598a8914308addcde bzip2-devel-1.0.2-11.EL3.4.s390x.rpm
be3865bf78e76449b1fc091a72cf3e41 bzip2-libs-1.0.2-11.EL3.4.s390.rpm
5f311e230c1934a8c84962fb6b64c9bf bzip2-libs-1.0.2-11.EL3.4.s390x.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

ia64:
090b5ed939e2f48c51915eb925f96272 bzip2-1.0.2-11.EL3.4.ia64.rpm
60ac531bf93510d4452676c7412f45b4 bzip2-devel-1.0.2-11.EL3.4.ia64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
2f0634a4f0c00b853d8ac423a4cc7421 bzip2-libs-1.0.2-11.EL3.4.ia64.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/bzip2-1.0.2-11.EL3.4.src.rpm
4b0b7d56f486e271def24561f7a306f5 bzip2-1.0.2-11.EL3.4.src.rpm

i386:
e630bfc98b065f94c2b0ecd0d2c7ef25 bzip2-1.0.2-11.EL3.4.i386.rpm
7ea9c20badeaad2ea842fdb68f13d555 bzip2-devel-1.0.2-11.EL3.4.i386.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm

ia64:
090b5ed939e2f48c51915eb925f96272 bzip2-1.0.2-11.EL3.4.ia64.rpm
60ac531bf93510d4452676c7412f45b4 bzip2-devel-1.0.2-11.EL3.4.ia64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
2f0634a4f0c00b853d8ac423a4cc7421 bzip2-libs-1.0.2-11.EL3.4.ia64.rpm

x86_64:
b93b509f8d6e9aec46504c7e76ed1d28 bzip2-1.0.2-11.EL3.4.x86_64.rpm
29888d27b0655212b0e1e71e2047b198 bzip2-devel-1.0.2-11.EL3.4.x86_64.rpm
606f8d160d5a4d2897684318f0a7e970 bzip2-libs-1.0.2-11.EL3.4.i386.rpm
eeb205ab6cf50dd6be136b6733ca2c12 bzip2-libs-1.0.2-11.EL3.4.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

ia64:
fbb427d2a11e236e2d1c6d85f7ae2e9d bzip2-1.0.2-13.EL4.2.ia64.rpm
cf2525427b75389276eb11a107fd62e3 bzip2-devel-1.0.2-13.EL4.2.ia64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
aa2f13bce94b5bfc31c336f75d49fd25 bzip2-libs-1.0.2-13.EL4.2.ia64.rpm

ppc:
204622acd8c606580308a3b0dbf2c99a bzip2-1.0.2-13.EL4.2.ppc.rpm
3f05fc5d21cf9e3bc7070194082a6884 bzip2-devel-1.0.2-13.EL4.2.ppc.rpm
a72e7e67d811edfbd79f610404ff51e9 bzip2-libs-1.0.2-13.EL4.2.ppc.rpm
3dbe5c3142fd98934ac12cde21e5bc69 bzip2-libs-1.0.2-13.EL4.2.ppc64.rpm

s390:
afd31a247fa25233417704526866b5b3 bzip2-1.0.2-13.EL4.2.s390.rpm
c63fe9698ef0294ec080aeabf340af01 bzip2-devel-1.0.2-13.EL4.2.s390.rpm
aff40f1abf3058316207b1d516e3a2dd bzip2-libs-1.0.2-13.EL4.2.s390.rpm

s390x:
86937cfe7a1f9a8aa246e17f4630614d bzip2-1.0.2-13.EL4.2.s390x.rpm
f6fa8a9286574caf767121a31d9dfcb2 bzip2-devel-1.0.2-13.EL4.2.s390x.rpm
aff40f1abf3058316207b1d516e3a2dd bzip2-libs-1.0.2-13.EL4.2.s390.rpm
c88d05a31e1245b424a37fa041189b7a bzip2-libs-1.0.2-13.EL4.2.s390x.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

ia64:
fbb427d2a11e236e2d1c6d85f7ae2e9d bzip2-1.0.2-13.EL4.2.ia64.rpm
cf2525427b75389276eb11a107fd62e3 bzip2-devel-1.0.2-13.EL4.2.ia64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
aa2f13bce94b5bfc31c336f75d49fd25 bzip2-libs-1.0.2-13.EL4.2.ia64.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/bzip2-1.0.2-13.EL4.2.src.rpm
4495b4152a765ceecb841c3349558060 bzip2-1.0.2-13.EL4.2.src.rpm

i386:
ab59af954705641daac16065d4e2bcf7 bzip2-1.0.2-13.EL4.2.i386.rpm
546cb5f4aa2a2e2895d1db0cc3220c26 bzip2-devel-1.0.2-13.EL4.2.i386.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm

ia64:
fbb427d2a11e236e2d1c6d85f7ae2e9d bzip2-1.0.2-13.EL4.2.ia64.rpm
cf2525427b75389276eb11a107fd62e3 bzip2-devel-1.0.2-13.EL4.2.ia64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
aa2f13bce94b5bfc31c336f75d49fd25 bzip2-libs-1.0.2-13.EL4.2.ia64.rpm

x86_64:
69e064537425dc144b6772efb5e304d1 bzip2-1.0.2-13.EL4.2.x86_64.rpm
f88531e2768a888309a7af9413ec6840 bzip2-devel-1.0.2-13.EL4.2.x86_64.rpm
371f45acc3998d442536311e2afd8e57 bzip2-libs-1.0.2-13.EL4.2.i386.rpm
61d1401fcc8398bbf448a130ed068272 bzip2-libs-1.0.2-13.EL4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://scary.beasts.org/security/CESA-2005-002.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCsb41XlSAg2UNWIIRAssbAJ9mdLN1UInRL9sMbqwV9lx8wAevyACeP10h
QW1ihjH+Dyw1r4sIHRQuKnY=
=sqSa
- -----END PGP SIGNATURE-----


- --
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list



2.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Moderate: mc security update
Advisory ID: RHSA-2005:512-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-512.html
Issue date: 2005-06-16
Updated on: 2005-06-16
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-1009 CAN-2004-1090 CAN-2004-1091 CAN-2004-1093 CAN-2004-1174 CAN-2004-1175 CAN-2005-0763
- - ---------------------------------------------------------------------

1. Summary:

Updated mc packages that fix several security issues are now available for
Red Hat Enterprise Linux 2.1.

This update has been rated as having moderate security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

Midnight Commander is a visual shell much like a file manager.

Several denial of service bugs were found in Midnight Commander. These bugs
could cause Midnight Commander to hang or crash if a victim opens a
carefully crafted file. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2004-1009, CAN-2004-1090,
CAN-2004-1091, CAN-2004-1093 and CAN-2004-1174 to these issues.

A filename quoting bug was found in Midnight Commander's FISH protocol
handler. If a victim connects via embedded SSH support to a host containing
a carefully crafted filename, arbitrary code may be executed as the user
running Midnight Commander. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-1175 to this issue.

A buffer overflow bug was found in the way Midnight Commander handles
directory completion. If a victim uses completion on a maliciously crafted
directory path, it is possible for arbitrary code to be executed as the
user running Midnight Commander. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-0763 to this issue.

Users of mc are advised to upgrade to these packages, which contain
backported security patches to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

158671 - CAN-2004-1009 Multiple mc issues (CAN-2004-1090 CAN-2004-1091 CAN-2004-1093 CAN-2004-1174 CAN-2004-1175 CAN-2005-0763)


6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/mc-4.5.51-36.8.src.rpm
9e805a0d7578118dd90b7afc8f8ea38f mc-4.5.51-36.8.src.rpm

i386:
e2ce1ca37f0725b120fa91d68579e381 gmc-4.5.51-36.8.i386.rpm
bdc096816859dace0dde57ab3fffcb53 mc-4.5.51-36.8.i386.rpm
ba21d0bddad88febd13325e551403e2e mcserv-4.5.51-36.8.i386.rpm

ia64:
43a53ce5a7ec823b9531437ec7f51a79 gmc-4.5.51-36.8.ia64.rpm
59287fee62f48ce8c8fb72f923c923d7 mc-4.5.51-36.8.ia64.rpm
be6ee2ff486ab9e9c14fefb620532175 mcserv-4.5.51-36.8.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/mc-4.5.51-36.8.src.rpm
9e805a0d7578118dd90b7afc8f8ea38f mc-4.5.51-36.8.src.rpm

ia64:
43a53ce5a7ec823b9531437ec7f51a79 gmc-4.5.51-36.8.ia64.rpm
59287fee62f48ce8c8fb72f923c923d7 mc-4.5.51-36.8.ia64.rpm
be6ee2ff486ab9e9c14fefb620532175 mcserv-4.5.51-36.8.ia64.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/mc-4.5.51-36.8.src.rpm
9e805a0d7578118dd90b7afc8f8ea38f mc-4.5.51-36.8.src.rpm

i386:
e2ce1ca37f0725b120fa91d68579e381 gmc-4.5.51-36.8.i386.rpm
bdc096816859dace0dde57ab3fffcb53 mc-4.5.51-36.8.i386.rpm
ba21d0bddad88febd13325e551403e2e mcserv-4.5.51-36.8.i386.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0763

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCsb5iXlSAg2UNWIIRAln9AJ0Q6kwqfmbFwvRpRmuc2/VytJ09DgCdE/dj
YtxIElxbIEzuMFtXT5y8FB4=
=zzer
- -----END PGP SIGNATURE-----


- --
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list



3.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Moderate: gaim security update
Advisory ID: RHSA-2005:518-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-518.html
Issue date: 2005-06-16
Updated on: 2005-06-16
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-1269 CAN-2005-1934
- - ---------------------------------------------------------------------

1. Summary:

An updated gaim package that fixes two denial of service issues is now
available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The Gaim application is a multi-protocol instant messaging client.

Jacopo Ottaviani discovered a bug in the way Gaim handles Yahoo! Messenger
file transfers. It is possible for a malicious user to send a specially
crafted file transfer request that causes Gaim to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-1269 to this issue.

Additionally, Hugo de Bokkenrijder discovered a bug in the way Gaim parses
MSN Messenger messages. It is possible for a malicious user to send a
specially crafted MSN Messenger message that causes Gaim to crash. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-1934 to this issue.

Users of gaim are advised to upgrade to this updated package, which contains
version 1.3.1 and is not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

159691 - CAN-2005-1269 Gaim yahoo utf8 crasher
159961 - CAN-2005-1934 Gaim MSN protocol DoS


6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gaim-1.3.1-0.el3.src.rpm
6e3487b80f03bbbebc60b691ca140292 gaim-1.3.1-0.el3.src.rpm

i386:
28008d055a4e79ed522e10f0c50dc662 gaim-1.3.1-0.el3.i386.rpm

ia64:
e47396490f16e145080a04f3964cff85 gaim-1.3.1-0.el3.ia64.rpm

ppc:
eb0c29e0807f7f466d17138bbd92aecd gaim-1.3.1-0.el3.ppc.rpm

s390:
bec845ba4dccde9375d8a875a953510e gaim-1.3.1-0.el3.s390.rpm

s390x:
3fff9511488e4303d1526b934698a8ed gaim-1.3.1-0.el3.s390x.rpm

x86_64:
df11ddc642891aa0c6ed61621dd301ec gaim-1.3.1-0.el3.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gaim-1.3.1-0.el3.src.rpm
6e3487b80f03bbbebc60b691ca140292 gaim-1.3.1-0.el3.src.rpm

i386:
28008d055a4e79ed522e10f0c50dc662 gaim-1.3.1-0.el3.i386.rpm

x86_64:
df11ddc642891aa0c6ed61621dd301ec gaim-1.3.1-0.el3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gaim-1.3.1-0.el3.src.rpm
6e3487b80f03bbbebc60b691ca140292 gaim-1.3.1-0.el3.src.rpm

i386:
28008d055a4e79ed522e10f0c50dc662 gaim-1.3.1-0.el3.i386.rpm

ia64:
e47396490f16e145080a04f3964cff85 gaim-1.3.1-0.el3.ia64.rpm

x86_64:
df11ddc642891aa0c6ed61621dd301ec gaim-1.3.1-0.el3.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gaim-1.3.1-0.el3.src.rpm
6e3487b80f03bbbebc60b691ca140292 gaim-1.3.1-0.el3.src.rpm

i386:
28008d055a4e79ed522e10f0c50dc662 gaim-1.3.1-0.el3.i386.rpm

ia64:
e47396490f16e145080a04f3964cff85 gaim-1.3.1-0.el3.ia64.rpm

x86_64:
df11ddc642891aa0c6ed61621dd301ec gaim-1.3.1-0.el3.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gaim-1.3.1-0.el4.src.rpm
acf732c6f6d85a78c86db1baa79ca5f4 gaim-1.3.1-0.el4.src.rpm

i386:
e0511ae1b636292034a7b4c14af1825c gaim-1.3.1-0.el4.i386.rpm

ia64:
c26accad6a53da3e70df6477b8b01b16 gaim-1.3.1-0.el4.ia64.rpm

ppc:
ef64f758b59c02929996b3d26c6f2fba gaim-1.3.1-0.el4.ppc.rpm

s390:
5841165c10a1c583b9159a74b1deea76 gaim-1.3.1-0.el4.s390.rpm

s390x:
12a2890b8e73f6c915177f40305cde6b gaim-1.3.1-0.el4.s390x.rpm

x86_64:
b1ca26e267afa4bc370c1c6bceb895f6 gaim-1.3.1-0.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gaim-1.3.1-0.el4.src.rpm
acf732c6f6d85a78c86db1baa79ca5f4 gaim-1.3.1-0.el4.src.rpm

i386:
e0511ae1b636292034a7b4c14af1825c gaim-1.3.1-0.el4.i386.rpm

x86_64:
b1ca26e267afa4bc370c1c6bceb895f6 gaim-1.3.1-0.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gaim-1.3.1-0.el4.src.rpm
acf732c6f6d85a78c86db1baa79ca5f4 gaim-1.3.1-0.el4.src.rpm

i386:
e0511ae1b636292034a7b4c14af1825c gaim-1.3.1-0.el4.i386.rpm

ia64:
c26accad6a53da3e70df6477b8b01b16 gaim-1.3.1-0.el4.ia64.rpm

x86_64:
b1ca26e267afa4bc370c1c6bceb895f6 gaim-1.3.1-0.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gaim-1.3.1-0.el4.src.rpm
acf732c6f6d85a78c86db1baa79ca5f4 gaim-1.3.1-0.el4.src.rpm

i386:
e0511ae1b636292034a7b4c14af1825c gaim-1.3.1-0.el4.i386.rpm

ia64:
c26accad6a53da3e70df6477b8b01b16 gaim-1.3.1-0.el4.ia64.rpm

x86_64:
b1ca26e267afa4bc370c1c6bceb895f6 gaim-1.3.1-0.el4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1934

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCsb52XlSAg2UNWIIRAnyLAJ44eBH+wsJzuWmHfVIeuXvLAEzdNQCgwff9
sdc1hG+wg7x9birNltk126M=
=Hret
- -----END PGP SIGNATURE-----


- --
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |