NEW UPDATES RH 9.0!!

[quint]

Thanks, Jon. Their server's busy right now - will keep trying.

[jong357]

Security Advisory - RHSA-2003:204-11> ------------------------------------------------------------------------------> Summary:> > Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a> number of bugs, as well as a minor security problem in the transparent> session ID functionality.> > Description:> PHP is an HTML-embedded scripting language commonly used with the Apache> HTTP server.> > This update contains fixes for a number of bugs discovered in the version> of PHP included in Red Hat Linux 8.0 and 9. These bugs include the use of > a PHP script as an ErrorDocument and possible POST body corruption in some> configurations.> > Also included is a fix for a minor security problem. In PHP version 4.3.1> and earlier, when transparent session ID support is enabled using the> "session.use_trans_sid" option, the session ID is not escaped before use. > This allows a Cross Site Scripting attack. The Common Vulnerabilities and> Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to> this issue.> > All users of PHP are advised to upgrade to these erratum packages, which> contain back-ported patches to correct these issues.

[quint]

Once again, I thank you, Jon.

[jong357]

There just pumping them out this week......ethereal-0.9.11-0.90.1 ------------> ethereal-0.9.13-1.90.1Downloadethereal-gnome-0.9.11-0.90.1 ------------> ethereal-gnome-0.9.13-1.90.1Download5199 Kb.Security Advisory - RHSA-2003:203-05> ------------------------------------------------------------------------------> Summary:> Updated Ethereal packages fix security issues> > Updated Ethereal packages available to fix a number of remotely> exploitable security issues> > Description:> Ethereal is a program for monitoring network traffic.> > A number of security issues affect Ethereal. By exploiting these issues it> may be possible to make Ethereal crash or run arbitrary code by injecting a> purposefully malformed packet onto the wire or by convincing someone to> read a malformed packet trace file.> > Multiple off-by-one vulnerabilities exist in Ethereal 0.9.11 and earlier in> the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB, SMPP,> and TSP dissectors. They do not properly use the tvb_get_nstringz and> tvb_get_nstringz0 functions. Common Vulnerabilities and Exposures project> (cve.mitre.org) has assigned the name CAN-2003-0356 to these issues.> > Multiple integer overflow vulnerabilities exist in Ethereal 0.9.11 and> earlier in the Mount and PPP dissectors. (CAN-2003-0357)> > A vulnerability in the DCERPC dissector exists in Ethereal 0.9.12 and> earlier, allowing remote attackers to cause a denial of service (memory> consumption) via a certain NDR string. (CAN-2003-0428)> > The OSI dissector in Ethereal 0.9.12 and earlier causes by invalid IPv4 or> IPv6 prefix lengths, possibly triggering a buffer overflow. (CAN-2003-0429)> > The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers> to cause a denial of service (crash) via an invalid ASN.1 value. > (CAN-2003-0430)> > The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not> properly handle a zero-length buffer size. (CAN-2003-0431)> > Ethereal 0.9.12 and earlier does not handle certain strings properly in the> BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors.> (CAN-2003-0432)> > Users of Ethereal should update to the erratum packages containing Ethereal> version 0.9.13, which are not vulnerable to these issues.> > References:> http://www.ethereal.com/appnotes/enpa-sa-00009.html> http://www.ethereal.com/appnotes/enpa-sa-00010.html

[quint]

Was just going to post that...thanks, Jon.

[jong357]

redhat-config-printer-0.6.47-1 ----------------> redhat-config-printer-0.6.47.9-1Downloadredhat-config-printer-gui-0.6.47-1 ----------------> redhat-config-printer-gui-0.6.47.9-1Download869 kb.Bug Fix Advisory - RHBA-2003:125-11> ------------------------------------------------------------------------------> Summary:> New redhat-config-printer packages available> > New redhat-config-printer packages are available, fixing assorted bugs.> > Description:> The redhat-config-printer packages contain graphical and text-based printer> configuration tools.> > A number of bugs have been found in these tools:> > - A problem with the 'browsed queues' feature of the graphical> configuration tool has been addressed.> > - Other fixes in this release involve the strict RFC 1179 compliance> setting, serial printers connected to ports on multi-port serial cards> (i.e. not onboard ports), some queue configurations not being upgraded> correctly, and SMB printing.> > Additionally, PTAL (Peripheral Transport Abstraction Library) support has> been added, supporting devices accessible via the hpoj package.> > Users of redhat-config-printer that are impacted by these issues should> install these updated packages.

[quint]

Thanks Jon...will get it.

[jong357]

printman-0.0.1-0.20021202.12 -------------> printman-0.0.1-0.20021202.12.1192 kb.DownloadBug Fix Advisory - RHBA-2003:127-02> ------------------------------------------------------------------------------> Summary:> Updated print-queue manager packages> > The printman package provides a graphical tool for viewing print queues.> > These updated packages fix a problem with displaying the print jobs in a> particular queue.> > Description:> When viewing the list of print jobs in a particular queue, the jobs from> all queues are intermingled. This update fixes that issue.

[quint]

Another one...so soon?

[jong357]

Redhat always does this.... Not sure what to make of it actually...... It's good on one hand, but really man......... Reminds me of some other particular company........ Atleast their not coming out with patches to fix patches........ That's a plus I guess.........

[jong357]

nfs-utils-1.0.1-2.9 --------------> nfs-utils-1.0.1-3.9190 kb.Download> Security Advisory - RHSA-2003:206-05> ------------------------------------------------------------------------------> Summary:> Updated nfs-utils packages fix denial of service vulnerability> > Updated nfs-utils packages are available that fix a remotely exploitable> Denial of Service vulnerability.> > Description:> The nfs-utils package provides a daemon for the kernel NFS server and> related tools.> > Janusz Niewiadomski found a buffer overflow bug in nfs-utils version 1.0.3> and earlier. This bug could be exploited by an attacker, causing a remote> Denial of Service (crash). It is not believed that this bug could lead to> remote arbitrary code execution.> > Users are advised to update to these erratum packages, which contain a> backported security patch supplied by the nfs-utils maintainers and are not> vulnerable to this issue.

[quint]

One more time: thanks, Jon!

[BarryB]

Yes...Like Quint said..Thanks Jon!!

[quint]

Yes...Like Quint said..Thanks Jon!!

BarryB, I've got an idea: maybe after each post that Jon makes, he can thank himself for us!

[BarryB]

LOL..I'm glad he does the post..The one machine with Redhat is my wifes' and she NEVER checks for updates.(of couse she never checks windows updates or AV updates either...says that is my job as "Geek of the House").so his reminders help me

[quint]

Seriously, Jon, I appreciate the time and effort that you put into these postings; haven't been spending very much time, lately, in my RedHat 9.0 distro, so when I see you listing updates and bugfixes, it is very important to those of us using RH, and I thank you very much for making everyone aware of them.

[jong357]

Your very welcome. I don't mind at all...... Maybe I should start linking to the RPM's............. Sometimes the notification icon doesn't want to play nice and you have to hunt for them on RHN...... No need to thank me either.... I do appreciate it tho.....

[quint]

Your very welcome. I don't mind at all...... Maybe I should start linking to the RPM's............. Sometimes the notification icon doesn't want to play nice and you have to hunt for them on RHN...... No need to thank me either.... I do appreciate it tho..... 

Thanks, Jon, you reminded of one bit of trouble that I've had occasionally: several times, their server has been busy enough that they told me to try again later! Other than that, have been pleased with the "easy update-ability".

[jong357]

Yea, I'll link them from now on..... Their update server may be bogged down sometimes and I know Kelly is having problems with the Notification Icon by the clock....... By downloading them manually, you should never run into a wall like that...... 2 seperate servers on the same DB, I think. You will have to create an account in RHN in order for the links to work tho..... The account is free so it shouldn't matter..... Cheers

[quint]

Yea, I'll link them from now on..... Their update server may be bogged down sometimes and I know Kelly is having problems with the Notification Icon by the clock....... By downloading them manually, you should never run into a wall like that...... 2 seperate servers on the same DB, I think. You will have to create an account in RHN in order for the links to work tho..... The account is free so it shouldn't matter..... Cheers

Sounds like a great plan, Jon.

[jong357]

xpdf-2.01-9 -------------> xpdf-2.01-11:1Download4063 kbSecurity Advisory - RHSA-2003:196-13> ------------------------------------------------------------------------------> Summary:> Updated Xpdf packages fix security vulnerability.> > Updated Xpdf packages are available that fix a vulnerability where a> malicious PDF document could run arbitrary code.> > [updated 16 July 2003]> Updated packages are now available, as the original errata packages did not> fix all possible ways of exploiting this vulnerability.> > Description:> Xpdf is an X Window System based viewer for Portable Document Format> (PDF) files.> > Martyn Gilmore discovered a flaw in various PDF viewers and readers. An> attacker can embed malicious external-type hyperlinks that, if activated or> followed by a victim, can execute arbitrary shell commands. The Common> Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name> CAN-2003-0434 to this issue.> > All users of Xpdf are advised to upgrade to these errata packages, which> contain a backported security patch that corrects this issue.

[quint]

Thanks, Jon...great idea!

[Bruno]

JonXpdf again ?? there was one 18 june:

xpdf-2.01-8 ---------> xpdf-2.01-9:1

and now :

xpdf-2.01-9 -------------> xpdf-2.01-11:1

I will have to check Mandrake to see what´s happening . . . :lol: Bruno

[BarryB]

Hey Bruno...This probably a dumb question..but do you think App developers may go ahead and make changes needed for the 2.6 kernel now rather than waiting til it's released.

[Bruno]

Hey Bruno...This probably a dumb question..but do you think App developers may go ahead and make changes needed for the 2.6 kernel now rather than waiting til it's released.

Barry . . I´m sure that´s what they are doing right now as we speak/post . . . Bruno

[BarryB]

I though so..I was wondering if some of theses updates here lately have been as a result of that..( Just a thought, lately when I run apt-get updates something has been updated almost everynight....just wondering...but then again Debian always seems to be moving forward ..so that could be the reason just as well)

[Bruno]

I was wondering if some of theses updates here lately have been as a result of that..( Just a thought, lately when I run apt-get  updates  something has been updated almost everynight....just wondering)

No Barry, looking at them they are all just security-updates . . nothing to do with the new kernel yet !The only thing that struck me was that not even a month afther they updated xpdf they have found a new security hole in it . . . Bruno

[BarryB]

Good point....Will check closer..I agree 1 Month is a quick trun around for security fixes.....But I think (scary thought) that as Linux (and Open Source ) become more mainstream they may look even harder at security issues before hackers (or crackers) get the chance to.

[Bruno]

Linux is always very quick with security-updates Barry . . they do not wait till they can bundle the lot of them in a ¨SP1¨ ¨2¨ or ¨3¨ etc. . . . . Get my point ?? ;) Bruno

[BarryB]

Linux is always very quick with security-updates Barry . . they do not wait till they can bundle the lot of them in a ¨SP1¨ ¨2¨ or ¨3¨ etc. . . . . Get my point ?? ;) Bruno

Yep!! LOL... ..not to mention usually no re-boot