NEW UPDATES RH 9.0!!

[jong357]

I noticed the xpdf as well.... I'll have to compare the security fixes..... RHN is always about a day behind on their E-mail notification compared to when they alert your applet service..... I found it strange as well. Hopefully I didn't open my mouth too soon as far as:

Redhat always does this.... Not sure what to make of it actually...... It's good on one hand, but really man......... Reminds me of some other particular company........  Atleast their not coming out with patches to fix patches........  That's a plus I guess.........

We'll see.......

[Bruno]

Jon, the other one was a month ago and has another version-subnumber . . . so I guess that you will need it after all . . . I checked Mandrake . . no sign of any updates yet ! BrunoFYI just to compaire: Recent Mandrake Linux Advisories 2003-07-15: MDKSA-2003:074 - kernel 2003-07-07: MDKSA-2003:073 - unzip 2003-06-27: MDKSA-2003:072 - ypserv 2003-06-27: MDKSA-2003:071 - xpdf 2003-06-27: MDKA-2003:017 - xfsprogs 2003-06-23: MDKSA-2003:070 - ethereal 2003-06-23: MDKA-2003:016 - reiserfsprogs 2003-06-23: MDKA-2003:015 - initscripts 2003-06-17: MDKSA-2003:069 - BitchX 2003-06-16: MDKSA-2003:068 - gzip

[jong357]

I updated the xpdf post...... Looks like they should have spent a little more time on the first one... Oh well....

[havnblast]

Following up on statements earlier this week, Red Hat has made unofficial kernel RPM releases available for Linux 2.6.0-test1.The RPMs, which are available on Red Hat developer Arjan van de Ven's Red Hat-hosted Web page, are presumably being provided as an advanced look at the 2.6 kernel for early adopters and potential Red Hat customers.The RPMs come with some caveats, however, as evidenced in the Readme file on the download site:    "This directory contains unofficial RPM's of 2.6-test kernels for Red Hat Linux 9 and Rawhide. Don't expect 2.6-test to be a completely polished drop-in; it's very much a work in progress although several people report success already. The rpms get updated regularly, depending on bugs fixed and how often Linus merges patches and makes releases.    Known to currently not work        * "LVM     Known quirks        * "XFree86 vs AGP          The kernel agp modules got split into per chipset modules; the auto-load mechanism of XFree86 in RHL9 isn't yet adjusted to this split. You can get it to work by hand by doing a 'modprobe intel-agp' (if you have an intel chipset of course) before starting X..."

Download Page

[Bruno]

Kelly,That is not a real update !But only an experimental kernel version, you do have to warn people not to put it on their main OS, preferably not even on their main computer. Bruno

[havnblast]

True, it does state unofficial tho - guess I should have made that more clear sorry just thought it would fit in this category

[Bruno]

That´s OK Kelly, just wanted people to be extra alert ;) Bruno

[havnblast]

Ran Across this for RedHat users, According to Distrowatch it is available:

DistroWatch published the release notes of Red Hat Linux "Severn" 9.0.93. The beta is scheduled to be released early this week, so make sure you keep checking the FTP mirrors of Red Hat. "Don't expect too much new, however, as the beta release appears to be more of a consolidation release of Red Hat Linux 9, rather than a release full of cutting edge features" DistroWatch notes. We also spotted Severn's ability to get into graphics mode just right after the kernel is loaded.

Release Notes of "Severn" 9.0.93Please note this is BETA

[havnblast]

Red Hat Security AdvisorySynopsis: Updated wu-ftpd packages fix remote vulnerability.Advisory ID: RHSA-2003:245-01Issue date: 2003-07-31Updated on: 2003-07-31Product: Red Hat LinuxKeywords: ftpdCross references: Obsoletes: RHSA-2001:157CVE Names: CAN-2003-04661. Topic:Updated wu-ftpd packages are now available that fix a remotely exploitable security issue.2. Relevant releases/architectures:Red Hat Linux 7.1 - i386Red Hat Linux 7.1 for iSeries (64 bit) - ppcRed Hat Linux 7.1 for pSeries (64 bit) - ppcRed Hat Linux 7.2 - i386, ia64Red Hat Linux 7.3 - i386Red Hat Linux 8.0 - i3863. Problem description:The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between computers on a network. Full Article with Fix

[quint]

Thanks for that, Kelly.

[havnblast]

Just trying to do my part

[Bruno]

There has been an interuption in the postings for the RedHat updates . . . here is a list of the updates since the last post: 2003-07-21 RHSA-2003:238 Updated 2.4 kernel fixes vulnerabilities 2003-07-23 RHSA-2003:234 Updated semi packages fix vulnerability 2003-07-29 RHSA-2003:222 Updated openssh packages available 2003-07-30 RHSA-2003:206 Updated nfs-utils packages fix denial of service vulnerability 2003-08-04 RHSA-2003:251 New postfix packages fix security issues. 2003-08-05 RHSA-2003:126 Updated gtkhtml packages fix vulnerability 2003-08-08 RHSA-2003:255 up2date improperly checks GPG signature of packages 2003-08-11 RHSA-2003:241 Updated ddskk packages fix temporary file vulnerability 2003-08-11 RHSA-2003:235 Updated KDE packages fix security issue 2003-08-11 RHSA-2003:235 Updated KDE packages fix security issue 2003-08-11 RHBA-2003:183 Updated redhat-config-network package available 2003-08-12 RHSA-2003:108 Updated Evolution packages fix multiple vulnerabilities 2003-08-15 RHSA-2003:199 Updated unzip packages fix trojan vulnerability 2003-08-18 RHBA-2003:252 cdrtools bugfix release for locking problems 2003-08-20 RHBA-2003:263 Updated 2.4 kernel resolves obscure bugs. 2003-08-21 RHSA-2003:258 GDM allows local user to read any file.So folks get updating quick . . . . you did miss a few of then

[havnblast]

SECURITY: Red Hat Linux Advisory: iptables Red Hat Security AdvisorySynopsis: Updated iptables packages are availableAdvisory ID: RHSA-2003:213-01Issue date: 2003-08-25Updated on: 2003-08-25Product: Red Hat LinuxView Article and Fix

[quint]

Once again, I thank you, Kelly. Have not been spending much time in RedHat9, and your "timely reminders" help a good deal.

[Jeber]

I did notice, though, Kelly, that this affects versions up to 8.0...so I guess 9.0 is OK as is?

[quint]

Good point, Jeber, I guess you can see through that big red hat!

[havnblast]

Right 9.0 RH should not be effected

[Jeber]

Had to take off the hat for a while to look for Bruno. I'll be sportin' it again before too long, though.

[havnblast]

Red Hat Security AdvisorySynopsis: Updated pam_smb packages fix remote buffer overflow.Advisory ID: RHSA-2003:261-01Issue date: 2003-08-26Updated on: 2003-08-26Product: Red Hat Linux1. Topic:Updated pam_smb packages are now available which fix a security vulnerability (buffer overflow).2. Relevant releases/architectures:Red Hat Linux 7.2 - i386, ia64Red Hat Linux 7.3 - i386Red Hat Linux 8.0 - i386Red Hat Linux 9 - i3863. Problem description:The pam_smb module is a pluggable authentication module (PAM) used to authenticate users using an external Server Message Block (SMB) server.A buffer overflow vulnerability has been found that affects unpatched versions of pam_smb up to and including 1.1.6.On systems that use pam_smb and are configured to authenticate a remotely accessible service, an attacker can exploit this bug and remotely execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0686 to this issue.Red Hat Linux versions 7.2, 7.3, 8.0, and 9 ship with versions of pam_smb that are vulnerable to this issue, however pam_smb is not enabled by default.Users of pam_smb are advised to upgrade to these erratum packages, which contain a patch to version 1.1.6 to correct this issueView Article and Fix

[havnblast]

"Red Hat Security AdvisorySynopsis: New up2date available with updated SSL certificate authority fileAdvisory ID: RHSA-2003:267-01Issue date: 2003-08-29Updated on: 2003-08-29Product: Red Hat LinuxKeywords: up2date Red Hat Network rhn_registerTopic:New versions of the up2date and rhn_register clients are available and are required for continued access to Red Hat Network.Relevant releases/architectures:Red Hat Linux 7.1 - i386Red Hat Linux 7.2 - i386, ia64Red Hat Linux 7.3 - i386Red Hat Linux 8.0 - i386Red Hat Linux 9 - i386 "View Article and Fix

[Bruno]

Updated httpd packages fix Apache security vulnerabilitiesAdvisory: RHSA-2003:240-09Last updated on: 2003-09-04Affected Products:Red Hat Linux 8.0 Red Hat Linux 9CVEs (cve.mitre.org):CAN-2003-0192CAN-2003-0253CAN-2003-0254 Details:Updated httpd packages that fix several minor security issues are nowavailable for Red Hat Linux 8.0 and 9.The Apache HTTP server is a powerful, full-featured, efficient, andfreely-available Web server.Ben Laurie found a bug in the optional renegotiation code in mod_sslincluded with Apache 2 versions 2.0.35 through 2.0.46 that can causecipher suite restrictions to be ignored. This is triggered if optionalrenegotiation is used (SSLOptions +OptRenegotiate) along with verificationof client certificates and a change to the cipher suite over therenegotiation. The Common Vulnerabilities and Exposures project(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.Yoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35to 2.0.46 have a bug that can cause a remote Denial of Service. When aclient requests that proxy ftp connect to a ftp server with an IPv6address, and the proxy is unable to create an IPv6 socket, an infinite loopoccurs. The Common Vulnerabilities and Exposures project has assigned thename CAN-2003-0254 to this issue.Saheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46have a bug in the prefork MPM when handling accept errors. In a server withmultiple listening sockets, a certain error returned by accept() on ararely-accessed port can cause a temporary denial of service. The CommonVulnerabilities and Exposures project has assigned the name CAN-2003-0253to this issue.It is possible for Apache 2 to get into an infinite loop handling internalredirects and nested subrequests. A patch for this issue adds the newLimitInternalRecursion directive.All users of the Apache HTTP Web Server are advised to upgrade to theapplicable errata packages, which contain back-ported fixes correctingthese issues, and are applied to Apache version 2.0.40.After the errata packages are installed, restart the Web service by running(as root) the following command:/sbin/service httpd restart

Bruno

[havnblast]

Red Hat Security AdvisorySynopsis: Updated gtkhtml packages fix vulnerabilityAdvisory ID: RHSA-2003:264-01Issue date: 2003-09-09Updated on: 2003-09-09Product: Red Hat LinuxKeywords: Cross references: Obsoletes: RHSA-2003:126CVE Names: CAN-2003-0541- ---------------------------------------------------------------------1. Topic:Updated gtkhtml packages that fix a null pointer dereference are now available.2. Relevant releases/architectures:Red Hat Linux 7.3 - i386Red Hat Linux 8.0 - i386Red Hat Linux 9 - i3863. Problem description:GtkHTML is the HTML rendering widget used by the Evolution mail reader. View Redhat_Advisory-3612

[havnblast]

Red Hat Security AdvisorySynopsis: Updated pine packages fix vulnerabilitiesAdvisory ID: RHSA-2003:273-01Issue date: 2003-09-11Updated on: 2003-09-11Product: Red Hat LinuxKeywords: iDefenseCross references:Obsoletes: RHSA-2002:270CVE Names: CAN-2003-0720 CAN-2003-0721- ---------------------------------------------------------------------1. Topic:Updated Pine packages that resolve remotely exploitable security issues arenow available.2. Relevant releases/architectures:Red Hat Linux 7.1 - i386Red Hat Linux 7.2 - i386, ia64Red Hat Linux 7.3 - i386Red Hat Linux 8.0 - i386Red Hat Linux 9 - i3863. Problem description:Pine, developed at the University of Washington, is a tool for reading,sending, and managing electronic messages (including mail and news).View Redhat_Advisory-3613

[nlinecomputers]

Serious flaw in OpenSSH found. Patch your systems at once!!!

Security Advisory - RHSA-2003:279-07------------------------------------------------------------------------------Summary:Updated OpenSSH packages fix potential vulnerabilityUpdated OpenSSH packages are now available that fix a bug that may be remotely exploitable.Description:OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions.The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code.  This bug has the potential of being remotely exploitable.All users of OpenSSH should immediately apply this update which contains a backported fix for this issue.References: http://marc.theaimsgroup.com/?l=openbsd-mi...106371592604940-------------------------------------------------------------------------------------------Taking Action-------------You may address the issues outlined in this advisory in two ways:  - select your server name by clicking on its name from the list    available at the following location, and then schedule an    errata update for it:        https://rhn.redhat.com/network/systemlist/s...system_list.pxt  - run the Update Agent on each affected server.---------------------------------Changing Notification Preferences---------------------------------To enable/disable your Errata Alert preferences globally please log in to RHN and navigate from "Your RHN" / "Your Account" to the "Preferences" tab.        URL: https://rhn.redhat.com/network/my_account/my_prefs.pxtYou can also enable/disable notification on a per system basis by selecting an individual system from the "Systems List". From the individual system view click the "Details" tab.

[havnblast]

Red Hat Linux Advisories: openssh, sendmailRed Hat Security AdvisorySynopsis: Updated OpenSSH packages fix potential vulnerabilitiesAdvisory ID: RHSA-2003:279-02Issue date: 2003-09-16Updated on: 2003-09-17Product: Red Hat LinuxKeywords: Cross references: Obsoletes: RHSA-2003:222CVE Names: CAN-2003-0693 CAN-2003-0695 CAN-2003-06821. Topic:Updated OpenSSH packages are now available that fix bugs that may be remotely exploitable.[updated 17 Sep 2003]Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0695 to these additional issues.We have also included fixes from Solar Designer for some additional memory bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0682 to these issues.2. Relevant releases/architectures:Red Hat Linux 7.1 - i386Red Hat Linux 7.2 - i386, ia64Red Hat Linux 7.3 - i386Red Hat Linux 8.0 - i386Red Hat Linux 9 - i3863. Problem description:OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions.The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code. This bug has the potential of being remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0693 to this issue.All users of OpenSSH should immediately apply this update which contains a backported fix for this issueSource and Fix

[Bruno]

Latest updates RedHat 92003-10-03 RHSA-2003:256 Updated Perl packages fix security issues.2003-09-30 RHSA-2003:292 Updated OpenSSL packages fix vulnerabilities2003-09-24 RHBA-2003:179 Mailman RPM does not properly handle package installation and upgrade. Bruno

[Bruno]

New updates RedHat 9:2003-10-14 RHBA-2003:247 Updated SANE packages prevent hardware damage2003-10-09 RHSA-2003:281 Updated MySQL packages fix vulnerabilityB) Bruno

[Bruno]

Updates RedHat 92003-11-03 RHSA-2003:275 Updated CUPS packages fix denial of service2003-11-03 RHSA-2003:309 Updated fileutils/coreutils package fix ls vulnerabilitiesB) Bruno