__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN java-1.5.0-ibm Security Update [Red Hat RHSA-2008:0790-9] August 18, 2008 19:00 GMT Number S-360 ______________________________________________________________________________ PROBLEM: There are several vulnerabilities in Java Web Start where a remote attacker could cause malicious XML to be processed by an untrusted applet or application. PLATFORM: RHEL Desktop Supplementary (v. 5 client) RHEL Supplementary (v. 5 server) Red Hat Enterprise Linux Extras (v. 4) DAMAGE: Remote code execution. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. This could elevate permissions to access ASSESSMENT: URLs on a remote host. ______________________________________________________________________________ CVSS 2 BASE SCORE: 7.5 TEMPORAL SCORE: 6.2 VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-360.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0790.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-3104 CVE-2008-3106 CVE-2008-3108 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 ______________________________________________________________________________ [***** Start Red Hat RHSA-2008:0790-9 *****] Critical: java-1.5.0-ibm security update Advisory: RHSA-2008:0790-9 Type: Security Advisory Severity: Critical Issued on: 2008-07-31 Last updated on: 2008-07-31 Affected Products: RHEL Desktop Supplementary (v. 5 client) RHEL Supplementary (v. 5 server) Red Hat Enterprise Linux Extras (v. 4) OVAL: N/A CVEs (cve.mitre.org): CVE-2008-3104 CVE-2008-3106 CVE-2008-3108 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 Details Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) A vulnerability in the XML processing API was found. A remote attacker who caused malicious XML to be processed by an untrusted applet or application was able to elevate permissions to access URLs on a remote host. (CVE-2008-3106) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) Several buffer overflow vulnerabilities in Java Web Start were reported. These vulnerabilities allowed an untrusted Java Web Start application to elevate its privileges, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111) Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113) A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, that contain the IBM 1.5.0 SR8 Java release, which resolves these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Supplementary (v. 5 client) -------------------------------------------------------------------------------- IA-32: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm 4069826a5ae32578fd243e52c064f28b java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.i386.rpm 8ba8597f91adfc7a6486ea291d07fa6c java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm 922fca3563ab0fe24d0962c592542a65 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm 129657ec6478a8d516793e8d1d443922 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm 13ec3260ec54277c123966cedf7e65e5 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm 07d4c3338805c7729fc648a49914a820 java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm 01431d232b7a15c41cb013746073564d java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm 61f53a4baa9e037ab82d8c0ddeb80c87 x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm 4069826a5ae32578fd243e52c064f28b java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.x86_64.rpm 22349bec871f7a81e584b69f054481df java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.x86_64.rpm a28693f4202955e099e44d80168f9c49 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm 922fca3563ab0fe24d0962c592542a65 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.x86_64.rpm b3ff8864b0771d432f31308486dd1ae1 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm 129657ec6478a8d516793e8d1d443922 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.x86_64.rpm 8e765b068701f34949853d309c680656 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm 13ec3260ec54277c123966cedf7e65e5 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.x86_64.rpm 9db410c8e3442cb9a90f24536f4a8855 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm 07d4c3338805c7729fc648a49914a820 java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm 01431d232b7a15c41cb013746073564d java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm 61f53a4baa9e037ab82d8c0ddeb80c87 java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.x86_64.rpm 1421338342e6f707ea8154c587434b8a RHEL Supplementary (v. 5 server) -------------------------------------------------------------------------------- IA-32: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm 4069826a5ae32578fd243e52c064f28b java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.i386.rpm 8ba8597f91adfc7a6486ea291d07fa6c java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm 922fca3563ab0fe24d0962c592542a65 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm 129657ec6478a8d516793e8d1d443922 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm 13ec3260ec54277c123966cedf7e65e5 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm 07d4c3338805c7729fc648a49914a820 java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm 01431d232b7a15c41cb013746073564d java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm 61f53a4baa9e037ab82d8c0ddeb80c87 PPC: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.ppc.rpm 6700e91baddc692926778bc1e5cb0fde java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.ppc64.rpm 4ad1cc0b31ee513dd8f833d4688fba26 java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.ppc.rpm 1352e058b913fb18ffd8a75e36317eac java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.ppc.rpm e4c3c7751804673b1ee999658724fa40 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.ppc64.rpm 3841eb717c487edeba3f26f5dd6a6ff2 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.ppc.rpm 8e961c9694b44126ac32776b7122e93c java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.ppc64.rpm ed3ed44e93b59dd1114cb397d7916089 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.ppc.rpm a4ab4e6866d65cc0d891c57311c8495d java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.ppc64.rpm 5fb19c904935d5b7124278a2f12467f4 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.ppc.rpm 8dbe81acdb629cb9d3c325c85a3eacff java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.ppc.rpm c470b43ce712356a679cf00ae9464fa4 java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.ppc.rpm af7781efb83e5503910b4199d4d7b78e java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.ppc64.rpm 73d12d16375dd6fb2ca2f7058fd4a821 s390x: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.s390.rpm 05a07277f9f4c94d0af05f2d3146a485 java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.s390x.rpm adc073cfd786623afec0131d3ce6b5e1 java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.s390x.rpm d2b6ecaca6f4a027baa32870ba343742 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.s390.rpm dc6ab9b39d1d21ab224fe0a402e85ea1 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.s390x.rpm a04b84dc213b79c0d4cff62473414266 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.s390.rpm 6b3507060a2337b41a92fce56b8ad62c java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.s390x.rpm 8859ab10b8b1c63c305fc070e3eecd68 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.s390.rpm 3c72915782ba87bfc2e9c2e61f86e31f java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.s390.rpm bf5d9108900593b6c2a3df18e733168d java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.s390x.rpm 7d7a9f9bf4b419ef8b08c30bb7ffc17f x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm 4069826a5ae32578fd243e52c064f28b java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.x86_64.rpm 22349bec871f7a81e584b69f054481df java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.x86_64.rpm a28693f4202955e099e44d80168f9c49 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm 922fca3563ab0fe24d0962c592542a65 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.x86_64.rpm b3ff8864b0771d432f31308486dd1ae1 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm 129657ec6478a8d516793e8d1d443922 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.x86_64.rpm 8e765b068701f34949853d309c680656 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm 13ec3260ec54277c123966cedf7e65e5 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.x86_64.rpm 9db410c8e3442cb9a90f24536f4a8855 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm 07d4c3338805c7729fc648a49914a820 java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm 01431d232b7a15c41cb013746073564d java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm 61f53a4baa9e037ab82d8c0ddeb80c87 java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.x86_64.rpm 1421338342e6f707ea8154c587434b8a Red Hat Enterprise Linux Extras (v. 4) -------------------------------------------------------------------------------- IA-32: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm 44e3953af0e1cf6e9257c46ea1019453 java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm 44e3953af0e1cf6e9257c46ea1019453 java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm 44e3953af0e1cf6e9257c46ea1019453 java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm 44e3953af0e1cf6e9257c46ea1019453 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm e7fb0fb69ffd8a84d6914206512c2772 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm e7fb0fb69ffd8a84d6914206512c2772 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm e7fb0fb69ffd8a84d6914206512c2772 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm e7fb0fb69ffd8a84d6914206512c2772 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm 6630d3c955b57b74ed8f72fd5c545a53 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm 6630d3c955b57b74ed8f72fd5c545a53 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm 6630d3c955b57b74ed8f72fd5c545a53 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm 6630d3c955b57b74ed8f72fd5c545a53 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm 3ff62d20aec05814dff5b97e1aad8c78 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm 3ff62d20aec05814dff5b97e1aad8c78 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm 3ff62d20aec05814dff5b97e1aad8c78 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm 3ff62d20aec05814dff5b97e1aad8c78 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm 87683a524a5d23a1b52125a912141b07 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm 87683a524a5d23a1b52125a912141b07 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm 87683a524a5d23a1b52125a912141b07 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm 87683a524a5d23a1b52125a912141b07 java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm 75c2f02aa30471f5152b6df09f0789ee java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm 75c2f02aa30471f5152b6df09f0789ee java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm 75c2f02aa30471f5152b6df09f0789ee java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm 75c2f02aa30471f5152b6df09f0789ee java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm 9131db89f34a1820c42885fac0d25644 java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm 9131db89f34a1820c42885fac0d25644 java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm 9131db89f34a1820c42885fac0d25644 java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm 9131db89f34a1820c42885fac0d25644 PPC: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.ppc.rpm e877f0f4be8992c9347f795fd8c10dfb java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.ppc.rpm 8543a50f9bef2b6bf4e34001dc633037 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.ppc.rpm 1d24db2c5e66d7ed2e7e173d49a1ea93 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.ppc.rpm d8838c1cca60875490dd4405935716f0 java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.ppc.rpm 06f51eefe6d889cea12d59075872264a java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.ppc.rpm 46c62dfbac4cd93d74031bb2fd2e5def java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.ppc.rpm e18113da0263f9522b9f816d1b735b8d s390: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.s390.rpm 4225afb69c5a0e45fe4e0c3c56c4600b java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.s390.rpm 601d8b8cb89290013c310ed211327d52 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.s390.rpm f0e83f89327522c99c174e1d3603717a java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.s390.rpm b8f896b6a83f72df2c377ccee18b86fc java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.s390.rpm a11940533903ace0f45bdf329d3f3235 s390x: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.s390x.rpm 4e2e589e3b71b316539bb793461cddcb java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.s390x.rpm bc166c4c8395239c3c3b50e3478d7ee1 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.s390x.rpm 30aab8b015aa4f744b5b51808fcd612f java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.s390x.rpm ae08669d77506d1c5193a62a61f2d0b4 x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2283c06e192d63dbe810dd96881fe716 java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2283c06e192d63dbe810dd96881fe716 java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2283c06e192d63dbe810dd96881fe716 java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2283c06e192d63dbe810dd96881fe716 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm aff747c2200d9117bc583294e40b2022 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm aff747c2200d9117bc583294e40b2022 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm aff747c2200d9117bc583294e40b2022 java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm aff747c2200d9117bc583294e40b2022 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm cde5d3e2531047395478458e47b47282 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm cde5d3e2531047395478458e47b47282 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm cde5d3e2531047395478458e47b47282 java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm cde5d3e2531047395478458e47b47282 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2f1c95e6006d9793c2de91239d981dd3 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2f1c95e6006d9793c2de91239d981dd3 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2f1c95e6006d9793c2de91239d981dd3 java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm 2f1c95e6006d9793c2de91239d981dd3 java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm a361772401d6fb1c0904f14bc059d68c java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm a361772401d6fb1c0904f14bc059d68c java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm a361772401d6fb1c0904f14bc059d68c java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm a361772401d6fb1c0904f14bc059d68c (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 452649 - CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) 454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) 454604 - CVE-2008-3108 Security Vulnerability with JRE fonts processing may allow Elevation of Privileges (6450319) 454605 - CVE-2008-3111 Java Web Start Buffer overflow vulnerabilities (6557220) 454606 - CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) 454607 - CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077) 454608 - CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114 http://www.redhat.com/security/updates/classification/#critical -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0790-9 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update