Red Hat 9026 Published by

Red Hat has released 8 new security updates for Red Hat Enterprise Linux:

- [RHSA-2010:0889-01] Important: freetype security update
- [RHSA-2010:0891-01] Moderate: pam security update
- [RHSA-2010:0890-01] Moderate: pidgin security update
- [RHSA-2010:0888-01] Important: openssl security update
- [RHSA-2010:0892-01] Moderate: openswan security update
- [RHSA-2010:0896-01] Moderate: thunderbird security update
- [RHSA-2010:0894-01] Important: systemtap security update
- [RHSA-2010:0895-01] Moderate: systemtap security update



[RHSA-2010:0889-01] Important: freetype security update
=====================================================================
Red Hat Security Advisory

Synopsis: Important: freetype security update
Advisory ID: RHSA-2010:0889-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0889.html
Issue date: 2010-11-16
CVE Names: CVE-2010-3855
=====================================================================

1. Summary:

Updated freetype packages that fix one security issue are now available for
Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

FreeType is a free, high-quality, portable font engine that can open and
manage font files. It also loads, hints, and renders individual glyphs
efficiently. The freetype packages for Red Hat Enterprise Linux 4 provide
both the FreeType 1 and FreeType 2 font engines. The freetype packages for
Red Hat Enterprise Linux 5 and 6 provide only the FreeType 2 font engine.

A heap-based buffer overflow flaw was found in the way the FreeType font
rendering engine processed certain TrueType GX fonts. If a user loaded a
specially-crafted font file with an application linked against FreeType, it
could cause the application to crash or, possibly, execute arbitrary code
with the privileges of the user running the application. (CVE-2010-3855)

Note: This issue only affects the FreeType 2 font engine.

Users are advised to upgrade to these updated packages, which contain a
backported patch to correct this issue. The X server must be restarted (log
out, then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

645275 - CVE-2010-3855 Freetype : Heap based buffer overflow in ft_var_readpackedpoints()

Copyright 2010 Red Hat, Inc.
[RHSA-2010:0891-01] Moderate: pam security update
=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: pam security update
Advisory ID: RHSA-2010:0891-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0891.html
Issue date: 2010-11-16
CVE Names: CVE-2010-3316 CVE-2010-3435 CVE-2010-3853
=====================================================================

1. Summary:

Updated pam packages that fix three security issues are now available for
Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to
recompile programs that handle authentication.

It was discovered that the pam_namespace module executed the external
script namespace.init with an unchanged environment inherited from an
application calling PAM. In cases where such an environment was untrusted
(for example, when pam_namespace was configured for setuid applications
such as su or sudo), a local, unprivileged user could possibly use this
flaw to escalate their privileges. (CVE-2010-3853)

It was discovered that the pam_env and pam_mail modules used root
privileges while accessing user's files. A local, unprivileged user could
use this flaw to obtain information, from the lines that have the KEY=VALUE
format expected by pam_env, from an arbitrary file. Also, in certain
configurations, a local, unprivileged user using a service for which the
pam_mail module was configured for, could use this flaw to obtain limited
information about files or directories that they do not have access to.
(CVE-2010-3435)

Note: As part of the fix for CVE-2010-3435, this update changes the default
value of pam_env's configuration option user_readenv to 0, causing the
module to not read user's ~/.pam_environment configuration file by default,
as reading it may introduce unexpected changes to the environment of the
service using PAM, or PAM modules consulted after pam_env.

It was discovered that the pam_xauth module did not verify the return
values of the setuid() and setgid() system calls. A local, unprivileged
user could use this flaw to execute the xauth command with root privileges
and make it read an arbitrary input file. (CVE-2010-3316)

Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for
reporting the CVE-2010-3435 issue.

All pam users should upgrade to these updated packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

637898 - CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and similar calls
641335 - CVE-2010-3435 pam: pam_env and pam_mail accessing users' file with root privileges
643043 - CVE-2010-3853 pam: pam_namespace executes namespace.init with service's environment

Copyright 2010 Red Hat, Inc.
[RHSA-2010:0890-01] Moderate: pidgin security update
=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: pidgin security update
Advisory ID: RHSA-2010:0890-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0890.html
Issue date: 2010-11-16
CVE Names: CVE-2010-3711
=====================================================================

1. Summary:

Updated pidgin packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

Pidgin is an instant messaging program which can log in to multiple
accounts on multiple instant messaging networks simultaneously.

Multiple NULL pointer dereference flaws were found in the way Pidgin
handled Base64 decoding. A remote attacker could use these flaws to crash
Pidgin if the target Pidgin user was using the Yahoo! Messenger Protocol,
MSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol
plug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for
authentication. (CVE-2010-3711)

Red Hat would like to thank the Pidgin project for reporting these issues.
Upstream acknowledges Daniel Atallah as the original reporter.

All Pidgin users should upgrade to these updated packages, which contain a
backported patch to resolve these issues. Pidgin must be restarted for this
update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

641921 - CVE-2010-3711 Pidgin (libpurple): Multiple DoS (crash) flaws by processing of unsanitized Base64 decoder values

Copyright 2010 Red Hat, Inc.
[RHSA-2010:0888-01] Important: openssl security update
=====================================================================
Red Hat Security Advisory

Synopsis: Important: openssl security update
Advisory ID: RHSA-2010:0888-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0888.html
Issue date: 2010-11-16
CVE Names: CVE-2010-3864
=====================================================================

1. Summary:

Updated openssl packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A race condition flaw has been found in the OpenSSL TLS server extension
parsing code, which could affect some multithreaded OpenSSL applications.
Under certain specific conditions, it may be possible for a remote attacker
to trigger this race condition and cause such an application to crash, or
possibly execute arbitrary code with the permissions of the application.
(CVE-2010-3864)

Note that this issue does not affect the Apache HTTP Server. Refer to Red
Hat Bugzilla bug 649304 for more technical details on how to determine if
your application is affected.

Red Hat would like to thank Rob Hulswit for reporting this issue.

All OpenSSL users should upgrade to these updated packages, which contain a
backported patch to resolve this issue. For the update to take effect, all
services linked to the OpenSSL library must be restarted, or the system
rebooted.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

649304 - CVE-2010-3864 OpenSSL TLS extension parsing race condition

Copyright 2010 Red Hat, Inc.
[RHSA-2010:0892-01] Moderate: openswan security update
=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: openswan security update
Advisory ID: RHSA-2010:0892-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0892.html
Issue date: 2010-11-16
CVE Names: CVE-2010-3302 CVE-2010-3308 CVE-2010-3752
CVE-2010-3753
=====================================================================

1. Summary:

Updated openswan packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

Openswan is a free implementation of Internet Protocol Security (IPsec)
and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide
both authentication and encryption services. These services allow you to
build secure tunnels through untrusted networks.

Two buffer overflow flaws were found in the Openswan client-side XAUTH
handling code used when connecting to certain Cisco gateways. A malicious
or compromised VPN gateway could use these flaws to execute arbitrary code
on the connecting Openswan client. (CVE-2010-3302, CVE-2010-3308)

Two input sanitization flaws were found in the Openswan client-side
handling of Cisco gateway banners. A malicious or compromised VPN gateway
could use these flaws to execute arbitrary code on the connecting Openswan
client. (CVE-2010-3752, CVE-2010-3753)

Red Hat would like to thank the Openswan project for reporting these
issues. Upstream acknowledges D. Hugh Redelmeier and Paul Wouters as the
original reporters.

All users of openswan are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. After installing
this update, the ipsec service will be restarted automatically.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

634264 - CVE-2010-3302 openswan: buffer overflow vulnerability in XAUTH client-side support
637924 - CVE-2010-3308 Openswan cisco banner option handling vulnerability
640711 - CVE-2010-3752 Openswan: Gateway arbitrary code execution via shell metacharacters in cisco_dns_info or cisco_domain_info data in packet
640715 - CVE-2010-3753 Openswan: Gateway arbitrary execution via shell metacharacters in the cisco_banner

Copyright 2010 Red Hat, Inc.
[RHSA-2010:0896-01] Moderate: thunderbird security update
=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: thunderbird security update
Advisory ID: RHSA-2010:0896-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0896.html
Issue date: 2010-11-17
CVE Names: CVE-2010-3175 CVE-2010-3176 CVE-2010-3178
CVE-2010-3179 CVE-2010-3180 CVE-2010-3182
CVE-2010-3183 CVE-2010-3765
=====================================================================

1. Summary:

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

A race condition flaw was found in the way Thunderbird handled Document
Object Model (DOM) element properties. An HTML mail message containing
malicious content could cause Thunderbird to crash or, potentially, execute
arbitrary code with the privileges of the user running Thunderbird.
(CVE-2010-3765)

Several flaws were found in the processing of malformed HTML mail content.
An HTML mail message containing malicious content could cause Thunderbird
to crash or, potentially, execute arbitrary code with the privileges of the
user running Thunderbird. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179,
CVE-2010-3180, CVE-2010-3183)

A same-origin policy bypass flaw was found in Thunderbird. Remote HTML
content could steal private data from different remote HTML content
Thunderbird had loaded. (CVE-2010-3178)

Note: JavaScript support is disabled by default in Thunderbird. The above
issues are not exploitable unless JavaScript is enabled.

A flaw was found in the script that launches Thunderbird. The
LD_LIBRARY_PATH variable was appending a "." character, which could allow a
local attacker to execute arbitrary code with the privileges of a different
user running Thunderbird, if that user ran Thunderbird from within an
attacker-controlled directory. (CVE-2010-3182)

All Thunderbird users should upgrade to this updated package, which
resolves these issues. All running instances of Thunderbird must be
restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

642272 - CVE-2010-3176 Mozilla miscellaneous memory safety hazards
642275 - CVE-2010-3175 Mozilla miscellaneous memory safety hazards
642277 - CVE-2010-3179 Mozilla buffer overflow and memory corruption using document.write
642283 - CVE-2010-3180 Mozilla use-after-free error in nsBarProp
642286 - CVE-2010-3183 Mozilla dangling pointer vulnerability in LookupGetterOrSetter
642294 - CVE-2010-3178 Mozilla cross-site information disclosure via modal calls
642300 - CVE-2010-3182 Mozilla unsafe library loading flaw
646997 - CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73)

Copyright 2010 Red Hat, Inc.
[RHSA-2010:0894-01] Important: systemtap security update
=====================================================================
Red Hat Security Advisory

Synopsis: Important: systemtap security update
Advisory ID: RHSA-2010:0894-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0894.html
Issue date: 2010-11-17
CVE Names: CVE-2010-4170 CVE-2010-4171
=====================================================================

1. Summary:

Updated systemtap packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

SystemTap is an instrumentation system for systems running the Linux
kernel, version 2.6. Developers can write scripts to collect data on the
operation of the system. staprun, the SystemTap runtime tool, is used for
managing SystemTap kernel modules (for example, loading them).

It was discovered that staprun did not properly sanitize the environment
before executing the modprobe command to load an additional kernel module.
A local, unprivileged user could use this flaw to escalate their
privileges. (CVE-2010-4170)

It was discovered that staprun did not check if the module to be unloaded
was previously loaded by SystemTap. A local, unprivileged user could use
this flaw to unload an arbitrary kernel module that was not in use.
(CVE-2010-4171)

Note: After installing this update, users already in the stapdev group must
be added to the stapusr group in order to be able to run the staprun tool.

Red Hat would like to thank Tavis Ormandy for reporting these issues.

SystemTap users should upgrade to these updated packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

653604 - CVE-2010-4170 Systemtap: Insecure loading of modules
653606 - CVE-2010-4171 Systemtap: Ability to remove unused modules by unprivileged user

Copyright 2010 Red Hat, Inc.
[RHSA-2010:0895-01] Moderate: systemtap security update
=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: systemtap security update
Advisory ID: RHSA-2010:0895-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0895.html
Issue date: 2010-11-17
CVE Names: CVE-2010-4170
=====================================================================

1. Summary:

Updated systemtap packages that fix one security issue are now available
for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

SystemTap is an instrumentation system for systems running the Linux
kernel, version 2.6. Developers can write scripts to collect data on the
operation of the system. staprun, the SystemTap runtime tool, is used for
managing SystemTap kernel modules (for example, loading them).

It was discovered that staprun did not properly sanitize the environment
before executing the modprobe command to load an additional kernel module.
A local, unprivileged user could use this flaw to escalate their
privileges. (CVE-2010-4170)

Note: On Red Hat Enterprise Linux 4, an attacker must be a member of the
stapusr group to exploit this issue. Also note that, after installing this
update, users already in the stapdev group must be added to the stapusr
group in order to be able to run the staprun tool.

Red Hat would like to thank Tavis Ormandy for reporting this issue.

SystemTap users should upgrade to these updated packages, which contain
a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

653604 - CVE-2010-4170 Systemtap: Insecure loading of modules

Copyright 2010 Red Hat, Inc.