B. Package Updates

CVE-2011-0419

It was discovered that the apr_fnmatch() function used an unconstrained recursion when processing patterns with the '*' wildcard. An attacker could use this flaw to cause an application using this function, which also accepted untrusted input as a pattern for matching (such as an httpd server using the mod_autoindex module), to exhaust all stack memory or use an excessive amount of CPU time when performing matching.

CVE-2010-1623

It was found that certain input could cause the apr-util library to allocate more memory than intended in the apr_brigade_split_line() function. An attacker able to provide input in small chunks to an application using the apr-util library (such as httpd) could possibly use this flaw to trigger high memory consumption.

BZ#689754

Prior to this update, an attempt to restart the autofs service while a mounted file system was in use caused the service to stop responding upon its startup. This was due to inappropriate locking during the recursive reconstruction of mount trees of pre-existing mounted multi-mount map entries. With this update, the underlying source code has been adapted to avoid the deadlock during the mount tree reconstruction, so that autofs now starts as expected. Additionally, this update prevents autofs from occasionally terminating with a segmentation fault upon a map entry lookup.

CVE-2010-3613

It was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named.

CVE-2010-3614

It was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC.

CVE-2010-0405

An integer overflow flaw was discovered in the bzip2 decompression routine. This issue could, when decompressing malformed archives, cause bzip2, or an application linked against the libbz2 library, to crash or, potentially, execute arbitrary code.

BZ#797840

When installing multiple Linux Standard Base (LSB) services which only had LSB headers, the stop priority of the related LSB init scripts could have been miscalculated and set to "-1". With this update, the LSB init script ordering mechanism has been fixed, and the stop priority of the LSB init scripts is now set correctly.

BZ#797839

When an LSB init script requiring the "$local_fs" facility was installed with the "install_initd" command, the installation of the script could fail under certain circumstances. With this update, the underlying code has been modified to ignore this requirement because the "$local_fs" facility is always implicitly provided. LSB init scripts with requirements on "$local_fs" are now installed correctly.

BZ#668366

Due to an error in the cifs.upcall utility, Generic Security Services Application Program Interface (GSSAPI) channel bindings in Kerberos authentication messages were not set properly. This would cause some servers to reject authentication requests. Consequent to this, an attempt to mount a CIFS share with the security mode set to "krb5" could fail with the following error:

mount error(5): Input/output error

This update corrects the cifs.upcall utility to set the GSSAPI channel bindings properly, and such CIFS shares can now be mounted as expected.

BZ#681027

Due to an incorrect call of a function from the libxml2 library, each update of cluster configuration caused the configuration library to leak a small amount of memory. This update applies a patch that removes this incorrect function call, and updating cluster configuration no longer leads to memory leaks.

BZ#643279

Due to an incorrect conversion of directory inodes with the height larger than 1, running the gfs2_convert utility on a file system with extremely large directories may have caused the file system to become corrupted. With this update, the underlying source code has been modified to target this issue, and the gfs2_convert utility now works as expected.

BZ#634201

The /proc/mounts file system is no longer updated with the wrong device.

BZ#638954

A 'service cman stop remove' command no longer erroneously and permanently sets the 'remove' flag for a node for every subsequent stop/leave operation.

BZ#639958

When two cluster nodes attempt to form a cluster with different configuration files, the one with the more recent version no longer gets killed.

BZ#637699

The fsck.gfs2 utility no longer crashes if journals are missing.

BZ#673992

Under certain error conditions, an error in the code path in compat-dapl did not allow the cp_ptr entry to be cleaned up correctly in the internal link list. This could cause new connections to fail. This update includes a backported fix from uDAPL 2.0 which ensures the entry is cleaned up correctly and subsequent connections work as expected.

Bug Fix

BZ#850681

Previously, a bug in the Corosync server caused that when an IPC (inter-process communication) connection exited or was terminated, Corosync failed to free the memory for this connection. Consequently, Corosync memory could grow. This update fixes this bug and Corosync now always frees IPC memory as expected in the described scenario.

BZ#828430

Previously, it was not possible to activate or deactivate debug logs at runtime due to memory corruption in the objdb structure. With this update, the debug logging can now be activated or deactivated on runtime, for example with the command "corosync-objctl -w logging.debug=off".

BZ#810915

Previously, the underlying library of corosync did not delete temporary buffers used for Inter-Process Communication (IPC) that are stored in the /dev/shm shared memory file system. Therefore, if the user without proper privileges attempted to establish an IPC connection, the attempt failed with an error message as expected but memory allocated for temporary buffers was not released. This could eventually result in /dev/shm being fully used and Denial of Service. This update modifies the coroipcc library to let applications delete temporary buffers if the buffers were not deleted by the corosync server. The /dev/shm file system is no longer cluttered with needless data in this scenario and IPC connections can be established as expected.

BZ#791234

Previously, the range condition for the update_aru() function could cause incorrect check of message IDs. Due to this, in rare cases, the corosync utility entered the "FAILED TO RECEIVE" state, and so failed to receive multicast packets. With this update, the range value in the update_aru() function is no longer checked for; the fail_to_recv_const constant performs such checks. Now, corosync does not fail to receive packets.

BZ#726607

Previously, under heavy traffic, receive buffers sometimes overflowed, causing loss of packets. Consequently, retransmit list error messages appeared in the log files. This bug has been fixed, incoming messages are now processed more frequently, and the retransmit list error messages no longer appear in the described scenario.

BZ#727960

Previously, when a combination of a lossy network and a large number of configuration changes was used with corosync, corosync sometimes terminated unexpectedly. This bug has been fixed, and corosync no longer crashes in the described scenario.

BZ#734996

Prior to this update, when corosync ran the "cman_tool join" and "cman_tool leave" commands in a loop, corosync sometimes terminated unexpectedly. This bug has been fixed, and corosync no longer crashes in the described scenario.

BZ#696735

When the corosync server terminated unexpectedly, if it was connected to corosync clients, a shared memory leak occurred. This bug has been fixed and no memory leaks occur in the described scenario.

BZ#696734

When a ring ID file was smaller than 8 bytes, the corosync server terminated unexpectedly. With this update, if no proper ring ID file can be loaded, the corosync server creates one and no crash will occur.

BZ#696733

During the recovery phase, the corosync server sometimes terminated unexpectedly. As a consequence, a network token was lost and new configuration had to be created. This bug has been fixed and the corosync server no longer crashes in the described scenario.

BZ#696732

In rare circumstances involving multiple running nodes, the corosync server terminated unexpectedly during shut down. This bug has been fixed and the corosync server no longer crashes.

BZ#681258

When inconsistent cluster.conf files with different versions were used among nodes, a memory leak occurred in the corosync server during the configuration reload. This bug has been fixed and the configuration reload via the cman_tool no longer causes memory leaks.

BZ#683592

Compared to a unicast token, certain network switches add an extra delay to the transmission of a multicast packet. Consequent to this, multicast messages may have been retransmitted, even though the message was not lost and the retransmission was therefore not necessary. This update introduces the "miss_count_const" constant that allows a user to specify the maximum number of times a message is checked for retransmission before the retransmission is performed.

CVE-2010-2941

An invalid free flaw was found in the way the CUPS server parsed Internet Printing Protocol (IPP) packets. A malicious user able to send IPP requests to the CUPS server could use this flaw to crash the CUPS server.

CVE-2010-3846

An array index error, leading to a heap-based buffer overflow, was found in the way CVS applied certain delta fragment changes from input files in the RCS (Revision Control System file) format. If an attacker in control of a CVS repository stored a specially-crafted RCS file in that repository, and then tricked a remote victim into checking out (updating their CVS repository tree) a revision containing that file, it could lead to arbitrary code execution with the privileges of the CVS server process on the system hosting the CVS repository.

BZ#673989

Under certain error conditions dapl did not allow the cp_ptr entry to be cleaned up correctly in the internal link list. This could cause new connections to fail. With this update, the entry is cleaned up correctly and subsequent connections work as expected.

BZ#673993

Under certain error conditions dapl could fail to free allocated memory. The consequent memory leak could, potentially, result in an out of memory condition for the application. This update frees allocated memory correctly, closing the leak.

BZ#675198

Under certain circumstances, when a thread was waiting on dapls_evd_dto_wait() and the thread received a signal, the function would return an incorrect error code, resulting in the application failing rather than retrying the request.

BZ#675205

On systems with multiple InfiniBand (IB) adapters, especially if some were configured and some not, the dat_ia_open() function could hang when the driver queried the IB devices listed in /etc/dat.conf. This primarily presented as IBM DB2 installations hanging before they completed. With this update, the dat_ia_open() hang has been fixed and IBM DB2 installations, in particular, now succeed as expected.

BZ#675202

New provider entries for Mellanox RDMA over Converged Ethernet (RoCE) devices were added to the dat.conf file.

CVE-2010-4352

A denial of service flaw was discovered in the system for sending messages between applications. A local user could send a message with an excessive number of nested variants to the system-wide message bus, causing the message bus (and, consequently, any process using libdbus to receive messages) to abort.

BZ#751079

If the multipath device was deleted while a path was being checked, multipathd did not abort the path check and terminated unexpectedly when trying to access the multipath device information. The multipathd daemon now aborts any path checks when the multipath device is removed and the problem no longer occurs.

BZ#696133

Previously, multipath marked paths as failed if it could not determine whether the path was offline through sysfs. With this update, multipath calls the path_checker function to get the path's state when it cannot be determined.

BZ#702402

Previously, the multipath daemon did not remove restored paths correctly when one dervice path came online after another device path failed. Due to this issue, the multipath daemon could terminate unexpectedly with a segmentation fault on a multipath device when the path_grouping_policy option was set to the group_by_prio value. With this update multipath removes and restores such paths correctly.

BZ#684684

Prior to this update, multipathd did not always remove a path's sysfs device from cache when the path was removed. Also, multipathd searched the cache and created sysfs devices without the 'vecs' lock held. As a result, paths would occasionally have invalid sysfs devices, causing multipathd crashes and other errors. With this update, multipathd always removes the sysfs device from cache when deleting the path, and it only accesses the cache with the 'vecs' lock held.

BZ#672151

Multipathd caches the value of sysfs attribute lookups for the path devices that make up a multipath device. Previously, these weren't being removed when the path devices were removed. As well, in some cases the cache was not helpful and not used. This occasionally caused memory leaks when path devices were removed and restored. With this update, the unnecessary caching has been completely removed and the cached values are now removed when the corresponding path device is removed. Consequently, the occasional memory leaks no longer occur.

BZ#658937

When all paths of a pathgroup with set group_by_prio were restored after a failure, multipathd could place some paths into a wrong pathgroup. This issue occurred, because the daemon checked if pathgroups needed reconfiguration only if a path priority changed. When the original paths were restored, they could have been assigned the same priority as before the failure. In such case the paths were incorrectly left in a wrong pathgroup. With this update, when checking if it needs to recalculate the pathgroups, the multipathd daemon refreshes and checks all priorities once a new path becomes available and places recovered paths into the correct pathgroup.

CVE-2010-3611

A NULL pointer dereference flaw was discovered in the way the dhcpd daemon parsed DHCPv6 packets. A remote attacker could use this flaw to crash dhcpd via a specially-crafted DHCPv6 packet, if dhcpd was running as a DHCPv6 server.

CVE-2011-0413

A flaw was found in the way the dhcpd daemon processed certain DHCPv6 messages for addresses that had previously been declined and marked as abandoned internally. If a remote attacker sent such messages to dhcpd, it could cause dhcpd to crash due to an assertion failure if it was running as a DHCPv6 server.

CVE-2011-0997

It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process.

BZ#745558

Prior to this update, the extended records for the DMI types Memory Device (DMI type 17) and Memory Array Mapped Address (DMI type 19) were missing from the dmidecode utility output. With this update, dmidecode has been upgraded to upstream version 2.11, which updates support for the SMBIOS specification to version 2.7.1, thus fixing this bug. Now, the dmidecode output contains the extended records for DMI type 17 and DMI type 19.

BZ#661298

The dracut packages have been updated to support the new kernel boot option, "rdinsmodpost=[module]", which allows a user to specify a kernel module to be loaded after all device drivers are loaded automatically.

BZ#651402

Prior to this update, the udev rules used by dracut may have caused the merged logical volume management (LVM) snapshots to be accessed. Consequent to this, I/O errors appeared in the log. With this update, dracut's internal udev rules have been updated to ignore those internal devices, and dracut now works as expected.

CVE-2010-2640, CVE-2010-2641

An array index error was found in the DeVice Independent (DVI) renderer's PK and VF font file parsers. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.

CVE-2010-2642

A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.

CVE-2010-2643

An integer overflow flaw was found in the DVI renderer's TFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.

BZ#680522

A bug fix for a previous advisory, the RHEA-2010:0904 enhancement update, stated that the Brocade 200E, Brocade 300, Brocade 4100, Brocade 4900, and Brocade 5100 fencing devices are now supported by the fence_brocade agent. However, the fence_brocade agent was not included in the updated package. This update corrects this error, and the fence_brocade agent is now included in the package as expected.

BZ#642695

The package has been updated to provide a fencing agent that is able to communicate with Red Hat Enterprise Virtualization Manager, allowing virtual machines to be fenced.

BZ#643340

For Intelligent Platform Management Interface (IPMI) devices, the "power_wait" delay can now be adjusted in order to support newer iLO 3 firmware.

BZ#643515

Brocade 200E, Brocade 300, Brocade 4100, Brocade 4900, and Brocade 5100 fencing devices are now supported by the fence_brocade agent, and can be used with both Red Hat High Availability and Red Hat Resilient Storage.

CVE-2010-3765

A race condition flaw was found in the way Firefox handled Document Object Model (DOM) element properties. Malicious HTML content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2010-3177

A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain.

CVE-2010-3178

A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim had loaded with Firefox.

CVE-2010-3182

A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory.

CVE-2010-3766, CVE-2010-3767, CVE-2010-3772, CVE-2010-3776, CVE-2010-3777

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2010-3771

A flaw was found in the way Firefox handled malformed JavaScript. A website with an object containing malicious JavaScript could cause Firefox to execute that JavaScript with the privileges of the user running Firefox.

CVE-2010-3768

This update adds support for the Sanitiser for OpenType (OTS) library to Firefox. This library helps prevent potential exploits in malformed OpenType fonts by verifying the font file prior to use.

CVE-2010-3775

A flaw was found in the way Firefox loaded Java LiveConnect scripts. Malicious web content could load a Java LiveConnect script in a way that would result in the plug-in object having elevated privileges, allowing it to execute Java code with the privileges of the user running Firefox.

CVE-2010-3773

It was found that the fix for CVE-2010-0179 was incomplete when the Firebug add-on was used. If a user visited a website containing malicious JavaScript while the Firebug add-on was enabled, it could cause Firefox to execute arbitrary JavaScript with the privileges of the user running Firefox.

CVE-2010-3774

A flaw was found in the way Firefox presented the location bar to users. A malicious website could trick a user into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker.

CVE-2010-3770

A cross-site scripting (XSS) flaw was found in the Firefox x-mac-arabic, x-mac-farsi, and x-mac-hebrew character encodings. Certain characters were converted to angle brackets when displayed. If server-side script filtering missed these cases, it could result in Firefox executing JavaScript code with the permissions of a different website.

CVE-2010-1585

A flaw was found in the way Firefox sanitized HTML content in extensions. If an extension loaded or rendered malicious content using the ParanoidFragmentSink class, it could fail to safely display the content, causing Firefox to execute arbitrary JavaScript with the privileges of the user running Firefox.

CVE-2011-0051

A flaw was found in the way Firefox handled dialog boxes. An attacker could use this flaw to create a malicious web page that would present a blank dialog box that has non-functioning buttons. If a user closes the dialog box window, it could unexpectedly grant the malicious web page elevated privileges.

CVE-2011-0053, CVE-2011-0055, CVE-2011-0058, CVE-2011-0062

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-0054, CVE-2011-0056, CVE-2011-0057

Several flaws were found in the way Firefox handled malformed JavaScript. A website containing malicious JavaScript could cause Firefox to execute that JavaScript with the privileges of the user running Firefox.

CVE-2011-0061

A flaw was found in the way Firefox handled malformed JPEG images. A website containing a malicious JPEG image could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-0059

A flaw was found in the way Firefox handled plug-ins that perform HTTP requests. If a plug-in performed an HTTP request, and the server sent a 307 redirect response, the plug-in was not notified, and the HTTP request was forwarded. The forwarded request could contain custom headers, which could result in a Cross Site Request Forgery attack.

BZ#463131, BZ#665031

On Red Hat Enterprise Linux 4 and 5, running the "firefox -setDefaultBrowser" command caused warnings such as the following:

libgnomevfs-WARNING **: Deprecated function.  User modifications to the MIME database are no longer supported.

This update disables the "setDefaultBrowser" option. Red Hat Enterprise Linux 4 users wishing to set a default web browser can use Applications -> Preferences -> More Preferences -> Preferred Applications. Red Hat Enterprise Linux 5 users can use System -> Preferences -> Preferred Applications.

BZ#689430

This erratum blacklists a small number of HTTPS certificates.

CVE-2011-0080, CVE-2011-0081

Several flaws were found in the processing of malformed web content. A web page containing malicious content could possibly lead to arbitrary code execution with the privileges of the user running Firefox.

CVE-2011-0078

An arbitrary memory write flaw was found in the way Firefox handled out-of-memory conditions. If all memory was consumed when a user visited a malicious web page, it could possibly lead to arbitrary code execution with the privileges of the user running Firefox.

CVE-2011-0077

An integer overflow flaw was found in the way Firefox handled the HTML frameset tag. A web page with a frameset tag containing large values for the "rows" and "cols" attributes could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Firefox.

CVE-2011-0075

A flaw was found in the way Firefox handled the HTML iframe tag. A web page with an iframe tag containing a specially-crafted source address could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Firefox.

CVE-2011-0074

A flaw was found in the way Firefox displayed multiple marquee elements. A malformed HTML document could cause Firefox to execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-0073

A flaw was found in the way Firefox handled the nsTreeSelection element. Malformed content could cause Firefox to execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-0072

A use-after-free flaw was found in the way Firefox appended frame and iframe elements to a DOM tree when the NoScript add-on was enabled. Malicious HTML content could cause Firefox to execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-0071

A directory traversal flaw was found in the Firefox resource:// protocol handler. Malicious content could cause Firefox to access arbitrary files accessible to the user running Firefox.

CVE-2011-0070

A double free flaw was found in the way Firefox handled "application/http-index-format" documents. A malformed HTTP response could cause Firefox to execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-0069

A flaw was found in the way Firefox handled certain JavaScript cross-domain requests. If malicious content generated a large number of cross-domain JavaScript requests, it could cause Firefox to execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-0067

A flaw was found in the way Firefox displayed the autocomplete pop-up. Malicious content could use this flaw to steal form history information.

CVE-2011-0066, CVE-2011-0065

Two use-after-free flaws were found in the Firefox mObserverList and mChannel objects. Malicious content could use these flaws to execute arbitrary code with the privileges of the user running Firefox.

CVE-2011-1202

A flaw was found in the Firefox XSLT generate-id() function. This function returned the memory address of an object in memory, which could possibly be used by attackers to bypass address randomization protections.

CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3654

This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB10-26.

Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content.

CVE-2010-3636

An input validation flaw was discovered in flash-plugin. Certain server encodings could lead to a bypass of cross-domain policy file restrictions, possibly leading to cross-domain information disclosure.

CVE-2010-2805, CVE-2010-3311

It was found that the FreeType font rendering engine improperly validated certain position values when processing input streams. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.

CVE-2010-2808

A stack-based buffer overflow flaw was found in the way the FreeType font rendering engine processed some PostScript Type 1 fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.

CVE-2010-2806

An array index error was found in the way the FreeType font rendering engine processed certain PostScript Type 42 font files. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.

CVE-2010-3855

A heap-based buffer overflow flaw was found in the way the FreeType font rendering engine processed certain TrueType GX fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.

Note

Note: This issue only affects the FreeType 2 font engine.