Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
98
security advisorydenial of serviceupdateRed Hat JBoss EAP 6.4 Update: RHSA-2018-2741-01 Critical DoS Issues
An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update Advisory ID: RHSA-2018:2741-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:2741 Issue date: 2018-09-24 CVE Names: CVE-2017-2582 CVE-2017-7536 CVE-2018-1336 CVE-2018-10237 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.21 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.20, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536) * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers tocause a denial of service (CVE-2018-10237) * picketlink: The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml (CVE-2017-2582) * jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat). 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1261190 - [GSS](6.4.z) Upgrade jboss-ejb-client from 1.0.40 to 1.0.41 1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties 1465573 - CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager 1570200 - [GSS](6.4.z) Upgrade JBoss Modules from 1.3.10 to 1.3.111573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service 1578830 - (6.4.z) Upgrade hibernate-validator from 4.3.3 to 4.3.4 1580440 - [GSS](6.4.z) Upgrade xnio from 3.0.16 to 3.0.17 1594389 - [GSS](6.4.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml 1602226 - [GSS](6.4.z) Upgrade xerces from 2.9.1.redhat-6 to 2.9.1.redhat-8 1606334 - [GSS](6.4.z) Upgrade JBoss VFS from 3.2.12 to 3.2.13 1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS 1610355 - [GSS](6.4.z) Upgrade HornetQ from 2.3.25.SP24 to 2.3.25.SP28 1610742 - [GSS](6.4.z) Upgrade JBoss Web from 7.5.28 to 7.5.29 1611770 - [GSS](6.4.z) Upgrade Ironjacamar from 1.0.41 to 1.0.42 1614448 -[GSS](6.4.z) Upgrade Jackson from 1.9.9.redhat-6 to 1.9.9.redhat-7 1615347 - [GSS](6.4.z) Upgrade PicketLink from 2.5.4.SP18-redhat-1 to 2.5.4.SP18-redhat-2 1615380 - [GSS](6.4.z) Upgrade Guava from 13.0.1.redhat-2 to 13.0.1.redhat-3 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7Server: Source: codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el7.src.rpm guava-libraries-13.0.1-5.redhat_3.1.ep6.el7.src.rpm hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el7.src.rpm hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el7.src.rpm ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el7.src.rpm jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el7.src.rpm picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el7.src.rpm picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el7.src.rpm xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el7.src.rpm noarch: codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm codehaus-jackson-core-asl-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm codehaus-jackson-jaxrs-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm codehaus-jackson-mapper-asl-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm codehaus-jackson-xc-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm guava-libraries-13.0.1-5.redhat_3.1.ep6.el7.noarch.rpm hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el7.noarch.rpm hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-common-impl-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-common-spi-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-core-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-core-impl-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-deployers-common-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-jdbc-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-spec-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm ironjacamar-validator-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el7.noarch.rpm picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el7.noarch.rpm xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-2582 https://access.redhat.com/security/cve/CVE-2017-7536 https://access.redhat.com/security/cve/CVE-2018-1336 https://access.redhat.com/security/cve/CVE-2018-10237 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW6lg4dzjgjWX9erEAQhztQ//Sd0Rilqb+F4Gkc1kkq9Td7XKU0IgH54m b69/klo+tl8t7Cwkw35QCYYGaAzreESRTAtl5zwTbWVBISMEoG8F+v6+5h1+qYXz EZH4iClwwtAy5U3sR/D2tjy7EON/pEFcXYAJQf6lhVPYydqNW/FUEjPN5D3pr5ee 4cS4MmJb8tDfXUFszeymLhCO5kpwnocCKC2wvf+bZveADTBE4qyV+gDvAFs/mqRN gZcon0tJ9zFOiFUzGwWvxPPNKZNbUx8DtraazMTGt9JwIuXi8qdsybOOCBa63V6W j172iyPtKkrtWMfsY97tTFuOoxhcAHGzydtFbZmmLRviYyq22P124VHrPVpThpOn 90yVmyOJ2u6jEReXnRnuDLSEZWVpzaRi5rBXGHGz8WOZPuTQFQHpO7T7pKA9l58U XFV11W+/o++M8tNbteyzFUMQMZQteFvPqH9XY2QqnGNywiASdi7CjEue/vnci/Py VodGHtGLfUVypGAN3alQOj25jh7Num9BfGE/IyMC/5Pi5Mr9z4x9lNE7XWoIAu3J Jrz7EmsfWdMzLmw+QpkCZJUH7JBenfR6xa+S5iMH9BFfvv75DPSmBKifpVmqb8Kp jh0wg82lVwUp8K17T1HGh9rgNIkFMXHc8CkDIut+SVYSc4SK7OiaFFp8i/Ocq7G7 WA4CRnn8YZM=blOk -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Sep 24, 2018
•Important
Red Hat
98
security advisorymoderate severityrhel 7Red Hat Enterprise Linux 7 RHSA-2015:0425-02 Moderate: OpenSSH Security Fix
Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openssh security, bug fix and enhancement update Advisory ID: RHSA-2015:0425-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2015:0425.html Issue date: 2015-03-05 CVE Names: CVE-2014-2653 CVE-2014-9278 ==================================================================== 1. Summary: Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user toperform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667) Bug fixes: * An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. (BZ#1083482) * The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. (BZ#1097665) * Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662) * Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to "yes" by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix thisbug, GSSAPICleanupCredentials is set by default to "no". (BZ#1134447) * Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448) * Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173) Enhancements: * When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198) * The sshd-keygen service was run using the "ExecStartPre=-/usr/sbin/sshd-keygen" option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997) Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 912792 - ssh client showing Connection closed by UNKNOWN after timeout at password prompt 1071967 - Inconsistent error message when generating keys in FIPS mode 1081338 - CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios 1084079 - sftp / symlink does not create relative links 1097665 - ssh-keygen with error : gethostname: File name too long 1102288 - AuthorizedKeysCommand does not work under the Match section 1134997 - sshd.service shouldn't call /usr/sbin/sshd-keygen directly using ExecStartPre 1143867 - sshd fails to start in FIPS mode dueto ED25519 key generation 1153011 - sshd requires that .k5login exists even if krb5_kuserok() returns TRUE 1155626 - KerberosUseKuserok default changed from "yes" to "no" 1161173 - sshd sets KRB5CCNAME environment variable with a truncated value 1162620 - fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange 1169843 - CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: openssh-6.6.1p1-11.el7.src.rpm x86_64: openssh-6.6.1p1-11.el7.x86_64.rpm openssh-askpass-6.6.1p1-11.el7.x86_64.rpm openssh-clients-6.6.1p1-11.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-keycat-6.6.1p1-11.el7.x86_64.rpm openssh-server-6.6.1p1-11.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openssh-debuginfo-6.6.1p1-11.el7.i686.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-ldap-6.6.1p1-11.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openssh-6.6.1p1-11.el7.src.rpm x86_64: openssh-6.6.1p1-11.el7.x86_64.rpm openssh-clients-6.6.1p1-11.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-keycat-6.6.1p1-11.el7.x86_64.rpm openssh-server-6.6.1p1-11.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openssh-askpass-6.6.1p1-11.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-11.el7.i686.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-ldap-6.6.1p1-11.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm Red Hat Enterprise Linux Server (v.7): Source: openssh-6.6.1p1-11.el7.src.rpm ppc64: openssh-6.6.1p1-11.el7.ppc64.rpm openssh-askpass-6.6.1p1-11.el7.ppc64.rpm openssh-clients-6.6.1p1-11.el7.ppc64.rpm openssh-debuginfo-6.6.1p1-11.el7.ppc64.rpm openssh-keycat-6.6.1p1-11.el7.ppc64.rpm openssh-server-6.6.1p1-11.el7.ppc64.rpm s390x: openssh-6.6.1p1-11.el7.s390x.rpm openssh-askpass-6.6.1p1-11.el7.s390x.rpm openssh-clients-6.6.1p1-11.el7.s390x.rpm openssh-debuginfo-6.6.1p1-11.el7.s390x.rpm openssh-keycat-6.6.1p1-11.el7.s390x.rpm openssh-server-6.6.1p1-11.el7.s390x.rpm x86_64: openssh-6.6.1p1-11.el7.x86_64.rpm openssh-askpass-6.6.1p1-11.el7.x86_64.rpm openssh-clients-6.6.1p1-11.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-keycat-6.6.1p1-11.el7.x86_64.rpm openssh-server-6.6.1p1-11.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: openssh-debuginfo-6.6.1p1-11.el7.ppc.rpm openssh-debuginfo-6.6.1p1-11.el7.ppc64.rpm openssh-ldap-6.6.1p1-11.el7.ppc64.rpm openssh-server-sysvinit-6.6.1p1-11.el7.ppc64.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.ppc.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.ppc64.rpm s390x: openssh-debuginfo-6.6.1p1-11.el7.s390.rpm openssh-debuginfo-6.6.1p1-11.el7.s390x.rpm openssh-ldap-6.6.1p1-11.el7.s390x.rpm openssh-server-sysvinit-6.6.1p1-11.el7.s390x.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.s390.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.s390x.rpm x86_64: openssh-debuginfo-6.6.1p1-11.el7.i686.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-ldap-6.6.1p1-11.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openssh-6.6.1p1-11.el7.src.rpm x86_64: openssh-6.6.1p1-11.el7.x86_64.rpm openssh-askpass-6.6.1p1-11.el7.x86_64.rpm openssh-clients-6.6.1p1-11.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-keycat-6.6.1p1-11.el7.x86_64.rpm openssh-server-6.6.1p1-11.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v.7): x86_64: openssh-debuginfo-6.6.1p1-11.el7.i686.rpm openssh-debuginfo-6.6.1p1-11.el7.x86_64.rpm openssh-ldap-6.6.1p1-11.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-11.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.11.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2014-2653 https://access.redhat.com/security/cve/CVE-2014-9278 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2015 Red Hat, Inc. . The latest release of OpenSSH addresses security vulnerabilities with moderate risk levels, while also providing valuable bug corrections and improvements for RHEL 7.. OpenSSH Security,RHEL 7 Updates,Red Hat Security Fix. . LinuxSecurity.com Team
Mar 05, 2015
Red Hat
98
security advisorymoderatedenial of serviceRed Hat RHSA-2014:1119-01 Moderate: OpenStack Neutron DoS Issue
Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-neutron security, bug fix, and enhancement update Advisory ID: RHSA-2014:1119-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2014:1119.html Issue date: 2014-09-02 CVE Names: CVE-2014-3555 ==================================================================== 1. Summary: Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 5.0 for RHEL 7 - noarch 3. Description: OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable. (CVE-2014-3555) Red Hat would like to thank the OpenStack project for reporting this issue. Upstreamacknowledges Liping Mao from Cisco as the original reporter. The openstack-neutron packages have been upgraded to upstream version 2014.1.2, which provides a number of bug fixes and enhancements over the previous version, most notable of which are: * Multiple Open vSwitch agent fixes: the agent now sets bridges in the correct order to avoid breaking tunnel networks, creates the integration bridge if it is missing, sets the secure-failing mode for integration bridges to ensure the 'openvswitch' service does not program NORMAL action on restart and instead relies on L2 agent to manage those bridges on restart, limits veth names to 15 characters, and no longer spawns RPC consumers before all the needed data structures are ready to be accessed. * RPC interactions between the DHCP agent and the Neutron plug-in have been optimized. * Rule updates for security groups are now applied more effectively. * Firewall-as-a-Service (FWaaS): a possible race condition when deleting a firewall has been fixed; iptables updates are no longer deferred for the service. * Metering: metering data for egress and ingress are now reported separately; incorrect router key used to report against MongoDB has been fixed. * Load-Balancing-as-a-Service (LBaaS): resources are now registered against quotas engine; rootwrap filters are now shipped independent of L3 agent filters. * Metaplugin now supports multiple RPC workers. * The following plug-ins have been updated: BigSwitch, Brocade, Cisco N1k, HyperV, OFAgent, PLUMgrid, and VMWare NSX. Refer to https://launchpad.net/neutron/icehouse/2014.1.2 for more information on the changes included in the 2014.1.2 of openstack-neutron. (BZ#1127439) This update also fixes the following bug: * Previously, OpenStack Networking could stop processing network ports that disappeared from the integration bridge during the L2-agent loop, even after those ports were back on the bridge. As a result, updates for temporarily disappeared ports were not handled by the L2 agent. With this update, theseports are no longer marked as processed if not found on the integration bridge. Ports are now processed correctly even after they temporarily disappear from the integration bridge. (BZ#1115588) All openstack-neutron users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1115588 - Upon rebuild instances might never get to Active state 1115714 - Cisco: Http timeout for connection to controller is not configurable 1118833 - CVE-2014-3555 openstack-neutron: Denial of Service in Neutron allowed address pair 1123826 - [Upgrade] After Upgrade from Havana to Icehouse LBaas doesn't work - "cannot find group id for 'nogroup' " 1127428 - Rebase openstack-neutron to 2014.1.2 6. Package List: OpenStack 5.0 for RHEL7: Source: openstack-neutron-2014.1.2-2.el7ost.src.rpm noarch: openstack-neutron-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-bigswitch-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-brocade-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-cisco-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-hyperv-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-ibm-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-linuxbridge-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-mellanox-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-metaplugin-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-metering-agent-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-midonet-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-ml2-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-nec-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-ofagent-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-oneconvergence-nvsd-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-openvswitch-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-plumgrid-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-ryu-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-vmware-2014.1.2-2.el7ost.noarch.rpm openstack-neutron-vpn-agent-2014.1.2-2.el7ost.noarch.rpm python-neutron-2014.1.2-2.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2014-3555 https://access.redhat.com/security/updates/classification#moderate https://launchpad.net/neutron/icehouse/2014.1.2 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2014 Red Hat, Inc. . Red Hat has issued a Moderate advisory for openstack-neutron, which encompasses crucial bug resolutions along with a significant security patch pertinent to RHEL 7.. OpenStack Neutron, Red Hat Advisory, RHEL 7 Security Fix, DoS Issue. . LinuxSecurity.com Team
Sep 02, 2014
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!