CESA-2016:2825

 

最新バージョンの thunderbird がRed Hat Enterprise Linux 5 / 6 / 7 からご利用いただけるようになりました。
Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。
今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 45.5.0

 

Security Fix(es)

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-5290)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters.

Bug Fixed

CESA-2016:2825
https://rhn.redhat.com/errata/RHSA-2016-2825.html      

 

 

CESA-2016:2820

最新バージョンのmemcasedが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。
Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。
今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。
参照セクションのリンクをクリックしてください。

memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.

 

Security Fix(es)

* Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705)

Bug Fixed

 

Bug 1390510 – (CVE-2016-8704) CVE-2016-8704
https://bugzilla.redhat.com/show_bug.cgi?id=1390510
Bug 1390511 – (CVE-2016-8705) CVE-2016-8705
https://bugzilla.redhat.com/show_bug.cgi?id=1390511 

 

 

 

CESA-2016:2779

 

最新バージョンの nss and nss-util が、Red Hat Enterprise Linux 5 / 6 / 7 からご利用いただけるようになりました。
Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。
参照セクションのリンクをクリックしてください。

 

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries.
The following packages have been upgraded to a newer upstream version: nss (3.12.3), nss-util (3.12.3).

 

Security Fix(es)

* Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834)

* A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285)
* It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635)

Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834.

 

Bug fixed
Bug 1347908 – (CVE-2016-2834) CVE-2016-2834

https://bugzilla.redhat.com/show_bug.cgi?id=1347908
Bug 1383883 – (CVE-2016-5285) CVE-2016-5285
https://bugzilla.redhat.com/show_bug.cgi?id=1383883
Bug 1391818 – (CVE-2016-8635) CVE-2016-8635
https://bugzilla.redhat.com/show_bug.cgi?id=1391818

 

 

 

 

 

CESA-2016:2765

最新バージョンの389-ds-baseが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。
Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Security Fix(es)

* It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information. (CVE-2016-5416)

* An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. (CVE-2016-4992)

* It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. (CVE-2016-5405)
The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat); the CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William Brown (Red Hat).

Bug fixed

* Previously, a bug in the changelog iterator buffer caused it to point to an incorrect position when reloading the buffer. This caused replication to skip parts of the changelog, and consequently some changes were not replicated. This bug has been fixed, and replication data loss due to an incorrectly reloaded changelog buffer no longer occurs. (BZ#1354331)

* Previously, if internal modifications were generated on a consumer (for example by the Account Policy plug-in) and additional changes to the same attributes were received from replication, a bug caused Directory Server to accumulate state information on the consumer. The bug has been fixed by making sure that replace operations are only applied if they are newer than existing attribute deletion change sequence numbers (CSNs), and state information no longer accumulates in this situation. (BZ#1379599)

Bug 1347760 – (CVE-2016-4992) CVE-2016-4992
https://bugzilla.redhat.com/show_bug.cgi?id=1347760

Bug 1349540 – (CVE-2016-5416) CVE-2016-5416
https://bugzilla.redhat.com/show_bug.cgi?id=1349540

Bug 1354331 – Replication changelog can incorrectly skip over updates
https://bugzilla.redhat.com/show_bug.cgi?id=1354331

Bug 1358865 – (CVE-2016-5405) CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358865

Bug 1376676 – Backport AES storage scheme plugin
https://bugzilla.redhat.com/show_bug.cgi?id=1376676

Bug 1381153 – Crash in import_wait_for_space_in_fifo()
https://bugzilla.redhat.com/show_bug.cgi?id=1381153

 

CESA-2016:2675

最新バージョンの Pacemaker が、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。Red Hat 製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョン Vulnerability Scoring System (CVSS) は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The Pacemaker cluster resource manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure.

Security Fix(es)

* An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.(CVE-2016-7035)
This issue was discovered by Jan “poki” Pokorny (Red Hat) and Alain Moulle (ATOS/BULL).

Bugs fixed

1369732 – CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC communication
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1369732