March 2007
Five Red Hat Security Advisories
ID: 67
Ref: 009/2007
Date: 07 March 2007:17:48:46
Version: 1
Title: Five Red Hat Security Advisories
Abstract: Details of Red Hat vulnerabilities in IBMJava2, dbus, postgresql, java-1.4.2-ibm, bind
Vendors affected: Red Hat
Operating systems affected: Red Hat
Applications affected: Red Hat
Synopsis: Critical: IBMJava2 security update
Advisory ID: RHSA-2007:0072-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0072.html
IBM's 1.3.1 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.
Vulnerabilities were discovered in the Java Runtime Environment. An
untrusted applet could use these vulnerabilities to access data from other applets. (CVE-2006-6736, CVE-2006-6737)
Buffer overflow vulnerabilities were discovered in the Java Runtime Environment.
An untrusted applet could use these flaws to elevate its privileges, possibly reading and writing local files or executing local applications.
(CVE-2006-6731)
Synopsis: Moderate: dbus security update
Advisory ID: RHSA-2007:0008-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0008.html
D-BUS is a system for sending messages between applications. It is used both
for the systemwide message bus service, and as a per-user-login-session messaging
facility.
Kimmo Hämäläinen discovered a flaw in the way D-BUS processes certain messages.
It is possible for a local unprivileged D-BUS process to disrupt the ability of
another D-BUS process to receive messages. (CVE-2006-6107)
Users of dbus are advised to upgrade to these updated packages, which contain
backported patches to correct this issue.
Synopsis: Moderate: postgresql security update
Advisory ID: RHSA-2007:0067-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0067.html
PostgreSQL is an advanced Object-Relational database management system (DBMS).
Two flaws were found in the way the PostgreSQL server handles certain SQL-language
functions. An authenticated user could execute a sequence of command which could
crash the PostgreSQL server or possibly read from arbitrary memory locations. A
user must have permissions to drop and add database tables to exploit this flaw.
(CVE-2007-0555, CVE-2007-0556)
Several denial of service flaws were found in the PostgreSQL server. An
authenticated user could execute an SQL command which could crash the PostgreSQL
server. (CVE-2006-5540, CVE-2006-5541, CVE-2006-5542)
Synopsis: Critical: java-1.4.2-ibm security update
Advisory ID: RHSA-2007:0062-02
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0062.html
IBM's 1.4.2 SR7 Java release includes the IBM Java 2 Runtime Environment and the
IBM Java 2 Software Development Kit.
Synopsis: Moderate: bind security update
Advisory ID: RHSA-2007:0044-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0044.html
ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols.
A flaw was found in the way BIND processed certain DNS query responses.
On servers that had enabled DNSSEC validation, this could allow an remote
attacker to cause a denial of service. (CVE-2007-0494)
For users of Red Hat Enterprise Linux 3, the previous BIND update caused an
incompatible change to the default configuration that resulted in rndc not
sharing the key with the named daemon. This update corrects this bug and
restores the behavior prior to that update.
_____________________________________________________________________________
CPNI values your feedback.
1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)
Very useful:__ Useful:__ Not useful:__
2. If you did not find it useful, why not?
3. Any other comments? How could we improve our advisories?
Thank you for your contribution.
______________________________________________________________________________
CPNI wishes to acknowledge the contributions of Red Hat for the information
contained in this advisory.
______________________________________________________________________________