【CESA-2017:0190】An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7

CESA-2017:0190

An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat
Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

 

[Updated 21 February 2017]

This advisory has been updated to include Firefox packages for the PPC and S390

architectures that were previously omitted. For this revised update, packages

for all architectures were rebuilt. The rebuilt packages do not contain any new

code changes.

Mozilla Firefox is an open source web browser.

 

This update upgrades Firefox to version 45.7.0 ESR.

 

Security Fix(es):

 

* Multiple flaws were found in the processing of malformed web content. A web

page containing malicious content could cause Firefox to crash or, potentially,

execute arbitrary code with the privileges of the user running Firefox.

(CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380,

CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396)

 

Red Hat would like to thank the Mozilla project for reporting these issues.

Upstream acknowledges Jann Horn, Filipe Gomes, Muneaki Nishimura, Nils, Armin

Razmjou, Christian Holler, Gary Kwong, André Bargull, Jan de Mooij, Tom

Schuster, Oriol, Rh0, Nicolas Grégoire, and Jerri Rice as the original

reporters.

 Bugs Fixed

1415924 – CVE-2017-5373 Mozilla: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (MFSA 2017-01)
1416271 – CVE-2017-5375 Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
1416272 – CVE-2017-5376 Mozilla: Use-after-free in XSL (MFSA 2017-02)
1416273 – CVE-2017-5378 Mozilla: Pointer and frame data leakage of Javascript objects (MFSA 2017-02)
1416274 – CVE-2017-5380 Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02)
1416279 – CVE-2017-5390 Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02)
1416280 – CVE-2017-5396 Mozilla: Use-after-free with Media Decoder (MFSA 2017-02)
1416281 – CVE-2017-5383 Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02)
1416282 – CVE-2017-5386 Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02)

【CESA-2017:0184】An update for mysql is now available for Red Hat Enterprise Linux 6

CESA-2017:0184

An update for mysql is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the
MySQL server daemon (mysqld) and many client programs and libraries.

Security Fix(es):

* It was discovered that the MySQL logging functionality allowed writing to
MySQL configuration files. An administrative database user, or a database user
with FILE privileges, could possibly use this flaw to run arbitrary commands
with root privileges on the system running the database server. (CVE-2016-6662)

* A race condition was found in the way MySQL performed MyISAM engine table
repair. A database user with shell access to the server running mysqld could use
this flaw to change permissions of arbitrary files writable by the mysql system
user. (CVE-2016-6663, CVE-2016-5616)

Bugs Fixed

1375198 – CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)
1378936 – CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)

【CESA-2017:0184】An update for mysql is now available for Red Hat Enterprise Linux 6

CESA-2017:0184

An update for mysql is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the
MySQL server daemon (mysqld) and many client programs and libraries.

Security Fix(es):

* It was discovered that the MySQL logging functionality allowed writing to
MySQL configuration files. An administrative database user, or a database user
with FILE privileges, could possibly use this flaw to run arbitrary commands
with root privileges on the system running the database server. (CVE-2016-6662)

* A race condition was found in the way MySQL performed MyISAM engine table
repair. A database user with shell access to the server running mysqld could use
this flaw to change permissions of arbitrary files writable by the mysql system
user. (CVE-2016-6663, CVE-2016-5616)

Bugs Fixed

1375198 – CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)
1378936 – CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)

【CESA-2017:0182】An update for squid is now available for Red Hat Enterprise Linux 7

CESA-2017:0182

An update for squid is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Squid is a high-performance proxy caching server for web clients, supporting
FTP, Gopher, and HTTP data objects.

Security Fix(es):

* It was found that squid did not properly remove connection specific headers
when answering conditional requests using a cached request. A remote attacker
could send a specially crafted request to an HTTP server via the squid proxy and
steal private data from other connections. (CVE-2016-10002)

Bugs Fixed

1405941 – CVE-2016-10002 squid: Information disclosure in HTTP request processing

【CESA-2017:0183 】An update for squid34 is now available for Red Hat Enterprise Linux 6

CESA-2017:0183

An update for squid34 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The squid34 packages provide version 3.4 of Squid, a high-performance proxy
caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

Security Fix(es):

* It was found that squid did not properly remove connection specific headers
when answering conditional requests using a cached request. A remote attacker
could send a specially crafted request to an HTTP server via the squid proxy and
steal private data from other connections. (CVE-2016-10002)

Bugs Fixed

1405941 – CVE-2016-10002 squid: Information disclosure in HTTP request processing

【CESA-2017:0180 】An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:0180

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* It was discovered that the RMI registry and DCG implementations in the RMI
component of OpenJDK performed deserialization of untrusted inputs. A remote
attacker could possibly use this flaw to execute arbitrary code with the
privileges of RMI registry or a Java RMI application. (CVE-2017-3241)

This issue was addressed by introducing whitelists of classes that can be
deserialized by RMI registry or DCG. These whitelists can be customized using
the newly introduced sun.rmi.registry.registryFilter and
sun.rmi.transport.dgcFilter security properties.

* Multiple flaws were discovered in the Libraries and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws to
completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289)

* A covert timing channel flaw was found in the DSA implementation in the
Libraries component of OpenJDK. A remote attacker could possibly use this flaw
to extract certain information about the used key via a timing side channel.
(CVE-2016-5548)

* It was discovered that the Libraries component of OpenJDK accepted ECSDA
signatures using non-canonical DER encoding. This could cause a Java application
to accept signature in an incorrect format not accepted by other cryptographic
tools. (CVE-2016-5546)

* It was discovered that the 2D component of OpenJDK performed parsing of iTXt
and zTXt PNG image chunks even when configured to ignore metadata. An attacker
able to make a Java application parse a specially crafted PNG image could cause
the application to consume an excessive amount of memory. (CVE-2017-3253)

* It was discovered that the Libraries component of OpenJDK did not validate the
length of the object identifier read from the DER input before allocating memory
to store the OID. An attacker able to make a Java application decode a specially
crafted DER input could cause the application to consume an excessive amount of
memory. (CVE-2016-5547)

* It was discovered that the JAAS component of OpenJDK did not use the correct
way to extract user DN from the result of the user search LDAP query. A
specially crafted user LDAP entry could cause the application to use an
incorrect DN. (CVE-2017-3252)

* It was discovered that the Networking component of OpenJDK failed to properly
parse user info from the URL. A remote attacker could cause a Java application
to incorrectly parse an attacker supplied URL and interpret it differently from
other applications processing the same URL. (CVE-2016-5552)

* Multiple flaws were found in the Networking components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass certain
Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231)

* A flaw was found in the way the DES/3DES cipher was used as part of the
TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover
some plaintext data by capturing large amounts of encrypted traffic between
TLS/SSL server and client if the communication used a DES/3DES based
ciphersuite. (CVE-2016-2183)

This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to
the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms
security property) so they are only used if connecting TLS/SSL client and server
do not share any other non-legacy cipher suite.

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited without
user interaction if a user visited a malicious website.

Bugs Fixed

1369383 – CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1413554 – CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344)
1413562 – CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104)
1413583 – CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988)
1413653 – CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147)
1413717 – CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934)
1413764 – CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705)
1413882 – CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223)
1413906 – CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743)
1413911 – CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714)
1413920 – CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728)
1413955 – CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)

【CESA-2017:0086】 An update for kernel is now available for Red Hat Enterprise Linux 7.

CESA-2017:0086

An update for kernel is now available for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having a security impact of

Important. A Common Vulnerability Scoring System (CVSS) base score, which gives

a detailed severity rating, is available for each vulnerability from the CVE

link(s) in the References section.

 

The kernel packages contain the Linux kernel, the core of any Linux operating

system.

 

These updated kernel packages include several security issues and numerous bug

fixes, some of which you can see below. Space precludes documenting all of these

bug fixes in this advisory. To see the complete list of bug fixes, users are

directed to the related Knowledge Article:

https://access.redhat.com/articles/2857831.

 

Security Fix(es):

 

* A use-after-free vulnerability was found in the kernel’s socket recvmmsg

subsystem. This may allow remote attackers to corrupt memory and may allow

execution of arbitrary code. This corruption takes place during the error

handling routines within __sys_recvmmsg() function. (CVE-2016-7117, Important)

 

* A use-after-free vulnerability was found in tcp_xmit_retransmit_queue and

other tcp_* functions. This condition could allow an attacker to send an

incorrect selective acknowledgment to existing connections, possibly resetting a

connection. (CVE-2016-6828, Moderate)

 

* A flaw was found in the Linux kernel’s implementation of the SCTP protocol. A

remote attacker could trigger an out-of-bounds read with an offset of up to 64kB

potentially causing the system to crash. (CVE-2016-9555, Moderate)

 

Bug Fix(es):

 

* Previously, the performance of Internet Protocol over InfiniBand (IPoIB) was

suboptimal due to a conflict of IPoIB with the Generic Receive Offload (GRO)

infrastructure. With this update, the data cached by the IPoIB driver has been

moved from a control block into the IPoIB hard header, thus avoiding the GRO

problem and the corruption of IPoIB address information. As a result, the

performance of IPoIB has been improved. (BZ#1390668)

 

* Previously, when a virtual machine (VM) with PCI-Passthrough interfaces was

recreated, a race condition between the eventfd daemon and the virqfd daemon

occurred. Consequently, the operating system rebooted. This update fixes the

race condition. As a result, the operating system no longer reboots in the

described situation. (BZ#1391611)

 

* Previously, a packet loss occurred when the team driver in round-robin mode

was sending a large number of packets. This update fixes counting of the packets

in the round-robin runner of the team driver, and the packet loss no longer

occurs in the described situation. (BZ#1392023)

 

* Previously, the virtual network devices contained in the deleted namespace

could be deleted in any order. If the loopback device was not deleted as the

last item, other netns devices, such as vxlan devices, could end up with

dangling references to the loopback device. Consequently, deleting a network

namespace (netns) occasionally ended by a kernel oops. With this update, the

underlying source code has been fixed to ensure the correct order when deleting

the virtual network devices on netns deletion. As a result, the kernel oops no

longer occurs under the described circumstances. (BZ#1392024)

 

* Previously, a Kabylake system with a Sunrise Point Platform Controller Hub

(PCH) with a PCI device ID of 0xA149 showed the following warning messages

during the boot:

 

“Unknown Intel PCH (0xa149) detected.”

“Warning: Intel Kabylake processor with unknown PCH – this hardware has not

undergone testing by Red Hat and might not be certified. Please consult

https://hardware.redhat.com for certified hardware.”

 

The messages were shown because this PCH was not properly recognized. With this

update, the problem has been fixed, and the operating system now boots without

displaying the warning messages. (BZ#1392033)

 

* Previously, the operating system occasionally became unresponsive after a long

run. This was caused by a race condition between the try_to_wake_up() function

and a woken up task in the core scheduler. With this update, the race condition

has been fixed, and the operating system no longer locks up in the described

scenario. (BZ#1393719)

Bugs Fixed

1367091 – CVE-2016-6828 kernel: Use after free in tcp_xmit_retransmit_queue
1382268 – CVE-2016-7117 kernel: Use-after-free in the recvmmsg exit path
1397930 – CVE-2016-9555 kernel: Slab

【CESA-2017:0083】An update for qemu-kvm is now available for Red Hat Enterprise Linux 7

CESA-2017:0083

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux
on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space
component for running virtual machines using KVM.

Security Fix(es):

* An out-of-bounds read-access flaw was found in the QEMU emulator built with IP
checksum routines. The flaw could occur when computing a TCP/UDP packet’s
checksum, because a QEMU function used the packet’s payload length without
checking against the data buffer’s size. A user inside a guest could use this
flaw to crash the QEMU process (denial of service). (CVE-2016-2857)

Red Hat would like to thank Ling Liu (Qihoo 360 Inc.) for reporting this issue.

Bug Fix(es):

* Previously, rebooting a guest virtual machine more than 128 times in a short
period of time caused the guest to shut down instead of rebooting, because the
virtqueue was not cleaned properly. This update ensures that the virtqueue is
cleaned more reliably, which prevents the described problem from occurring.
(BZ#1393484)

Bugs Fixed

1296567 – CVE-2016-2857 Qemu: net: out of bounds read in net_checksum_calculate()

【CESA-2017:0062】An update for bind is now available for Red Hat Enterprise Linux 7

CESA-2017:0062

An update for bind is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND processed a response to an
ANY query. A remote attacker could use this flaw to make named exit unexpectedly
with an assertion failure via a specially crafted DNS response. (CVE-2016-9131)

* A denial of service flaw was found in the way BIND handled a query response
containing inconsistent DNSSEC information. A remote attacker could use this
flaw to make named exit unexpectedly with an assertion failure via a specially
crafted DNS response. (CVE-2016-9147)

* A denial of service flaw was found in the way BIND handled an unusually-formed
DS record response. A remote attacker could use this flaw to make named exit
unexpectedly with an assertion failure via a specially crafted DNS response.
(CVE-2016-9444)

Red Hat would like to thank ISC for reporting these issues.

Bugs Fixed

1411348 – CVE-2016-9131 bind: assertion failure while processing response to an ANY query
1411367 – CVE-2016-9147 bind: assertion failure while handling a query response containing inconsistent DNSSEC information
1411377 – CVE-2016-9444 bind: assertion failure while handling an unusually-formed DS record response

【CESA-2017:0064】An update for bind97 is now available for Red Hat Enterprise Linux 5

CESA-2017:0064

An update for bind97 is now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND handled a query response
containing inconsistent DNSSEC information. A remote attacker could use this
flaw to make named exit unexpectedly with an assertion failure via a specially
crafted DNS response. (CVE-2016-9147)

Red Hat would like to thank ISC for reporting this issue.

Bugs Fixed

1411367 – CVE-2016-9147 bind: assertion failure while handling a query response containing inconsistent DNSSEC information