【CESA-2017:1108】An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7

CESA-2017:1108

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux
7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* An untrusted library search path flaw was found in the JCE component of
OpenJDK. A local attacker could possibly use this flaw to cause a Java
application using JCE to load an attacker-controlled library and hence escalate
their privileges. (CVE-2017-3511)

* It was found that the JAXP component of OpenJDK failed to correctly enforce
parse tree size limits when parsing XML document. An attacker able to make a
Java application parse a specially crafted XML document could use this flaw to
make it consume an excessive amount of CPU and memory. (CVE-2017-3526)

* It was discovered that the HTTP client implementation in the Networking
component of OpenJDK could cache and re-use an NTLM authenticated connection in
a different security context. A remote attacker could possibly use this flaw to
make a Java application perform HTTP requests authenticated with credentials of
a different user. (CVE-2017-3509)

Note: This update adds support for the “jdk.ntlm.cache” system property which,
when set to false, prevents caching of NTLM connections and authentications and
hence prevents this issue. However, caching remains enabled by default.

* It was discovered that the Security component of OpenJDK did not allow users
to restrict the set of algorithms allowed for Jar integrity verification. This
flaw could allow an attacker to modify content of the Jar file that used weak
signing key or hash algorithm. (CVE-2017-3539)

Note: This updates extends the fix for CVE-2016-5542 released as part of the
RHSA-2016:2079 erratum to no longer allow the MD5 hash algorithm during the Jar
integrity verification by adding it to the jdk.jar.disabledAlgorithms security
property.

* Newline injection flaws were discovered in FTP and SMTP client implementations
in the Networking component in OpenJDK. A remote attacker could possibly use
these flaws to manipulate FTP or SMTP connections established by a Java
application. (CVE-2017-3533, CVE-2017-3544)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited without
user interaction if a user visited a malicious website.

Bug Fix(es):

* When a method is called using the Java Debug Wire Protocol (JDWP)
“invokeMethod” command in a target Java virtual machine, JDWP creates global
references for every Object that is implied in the method invocation, as well as
for the returned argument of the reference type. Previously, the global
references created for such arguments were not collected (deallocated) by the
garbage collector after “invokeMethod” finished. This consequently caused memory
leaks, and because references to such objects were never released, the debugged
application could be terminated with an Out of Memory error. This bug has been
fixed, and the described problem no longer occurs. (BZ#1442162)

Bugs Fixed

1442162 – Using jdb triggers OOME on the debugged application
1443007 – CVE-2017-3511 OpenJDK: untrusted extension directories search path in Launcher (JCE, 8163528)
1443052 – CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Networking, 8163520)
1443068 – CVE-2017-3544 OpenJDK: newline injection in the SMTP client (Networking, 8171533)
1443083 – CVE-2017-3533 OpenJDK: newline injection in the FTP client (Networking, 8170222)
1443097 – CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
1443252 – CVE-2017-3526 OpenJDK: incomplete XML parse tree size enforcement (JAXP, 8169011)

 

【CESA-2017:1106】An update for firefox is now available for Red Hat Enterprise Linux 7

CESA-2017:1106

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 52.1.0 ESR.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434,
CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439,
CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444,
CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449,
CVE-2017-5451, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5459,
CVE-2017-5460, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467,
CVE-2017-5469)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Mozilla developers and community, Nils, Holger Fuhrmannek,
Atte Kettunen, Takeshi Terada, Huzaifa Sidhpurwala, Nicolas Grégoire, Chamal De
Silva, Chun Han Hsiao, Ivan Fratric of Google Project Zero, Anonymous working
with Trend Micro’s Zero Day Initiative, Haik Aftandilian, Paul Theriault, Julian
Hector, Petr Cerny, Jordi Chancel, and Heather Miller of Google Skia team as the
original reporters.

Bugs Fixed

1443297 – CVE-2017-5456 Mozilla: Sandbox escape allowing local file system read access (MFSA 2017-12)
1443298 – CVE-2017-5442 Mozilla: Use-after-free during style changes (MFSA 2017-11, MFSA 2017-12)
1443299 – CVE-2017-5443 Mozilla: Out-of-bounds write during BinHex decoding (MFSA 2017-11, MFSA 2017-12)
1443301 – CVE-2017-5429 Mozilla: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 (MFSA 2017-11, MFSA 2017-12)
1443303 – CVE-2017-5464 Mozilla: Memory corruption with accessibility and DOM manipulation (MFSA 2017-11, MFSA 2017-12)
1443304 – CVE-2017-5465 Mozilla: Out-of-bounds read in ConvolvePixel (MFSA 2017-11, MFSA 2017-12)
1443305 – CVE-2017-5466 Mozilla: Origin confusion when reloading isolated data:text/html URL (MFSA 2017-12)
1443307 – CVE-2017-5467 Mozilla: Memory corruption when drawing Skia content (MFSA 2017-12)
1443308 – CVE-2017-5460 Mozilla: Use-after-free in frame selection (MFSA 2017-11, MFSA 2017-12)
1443310 – CVE-2017-5448 Mozilla: Out-of-bounds write in ClearKeyDecryptor (MFSA 2017-11, MFSA 2017-12)
1443311 – CVE-2017-5449 Mozilla: Crash during bidirectional unicode manipulation with animation (MFSA 2017-11, MFSA 2017-12)
1443312 – CVE-2017-5446 Mozilla: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data (MFSA 2017-11, MFSA 2017-12)
1443313 – CVE-2017-5447 Mozilla: Out-of-bounds read during glyph processing (MFSA 2017-11, MFSA 2017-12)
1443314 – CVE-2017-5444 Mozilla: Buffer overflow while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443315 – CVE-2017-5445 Mozilla: Uninitialized values used while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443317 – CVE-2017-5469 Mozilla: Potential Buffer overflow in flex-generated code (MFSA 2017-11, MFSA 2017-12)
1443322 – CVE-2017-5440 Mozilla: Use-after-free in txExecutionState destructor during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443323 – CVE-2017-5441 Mozilla: Use-after-free with selection during scroll events (MFSA 2017-11, MFSA 2017-12)
1443324 – CVE-2017-5439 Mozilla: Use-after-free in nsTArray Length() during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443325 – CVE-2017-5438 Mozilla: Use-after-free in nsAutoPtr during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443326 – CVE-2017-5437 Mozilla: Vulnerabilities in libevent library (MFSA 2017-11, MFSA 2017-12)
1443327 – CVE-2017-5436 Mozilla: Out-of-bounds write with malicious font in Graphite 2 (MFSA 2017-11, MFSA 2017-12)
1443328 – CVE-2017-5435 Mozilla: Use-after-free during transaction processing in the editor (MFSA 2017-11, MFSA 2017-12)
1443329 – CVE-2017-5434 Mozilla: Use-after-free during focus handling (MFSA 2017-11, MFSA 2017-12)
1443330 – CVE-2017-5433 Mozilla: Use-after-free in SMIL animation functions (MFSA 2017-11, MFSA 2017-12)
1443331 – CVE-2017-5430 Mozilla: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 (MFSA 2017-12)
1443332 – CVE-2017-5432 Mozilla: Use-after-free in text input selection (MFSA 2017-11, MFSA 2017-12)
1443333 – CVE-2017-5459 Mozilla: Buffer overflow in WebGL (MFSA 2017-11, MFSA 2017-12)
1443334 – CVE-2017-5455 Mozilla: Sandbox escape through internal feed reader APIs (MFSA 2017-12)
1443338 – CVE-2017-5454 Mozilla: Sandbox escape allowing file system read access through file picker (MFSA 2017-12)
1443340 – CVE-2017-5451 Mozilla: Addressbar spoofing with onblur event (MFSA 2017-12)

【CESA-2017:1100】An update for nss and nss-util is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

CESA-2017:1100

An update for nss and nss-util is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Network Security Services (NSS) is a set of libraries designed to support the
cross-platform development of security-enabled client and server applications.

The nss-util packages provide utilities for use with the Network Security
Services (NSS) libraries.

The following packages have been upgraded to a newer upstream version: nss
(3.28.4), nss-util (3.28.4).

Security Fix(es):

* An out-of-bounds write flaw was found in the way NSS performed certain
Base64-decoding operations. An attacker could use this flaw to create a
specially crafted certificate which, when parsed by NSS, could cause it to crash
or execute arbitrary code, using the permissions of the user running an
application compiled against the NSS library. (CVE-2017-5461)

Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Ronald Crane as the original reporter.

Bugs Fixed

1440080 – CVE-2017-5461 nss: Write beyond bounds caused by bugs in Base64 de/encoding in nssb64d.c and nssb64e.c (MFSA 2017-10)

【CESA-2017:1095】An update for bind is now available for Red Hat Enterprise Linux 7

CESA-2017:1095

An update for bind is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND handled a query response
containing CNAME or DNAME resource records in an unusual order. A remote
attacker could use this flaw to make named exit unexpectedly with an assertion
failure via a specially crafted DNS response. (CVE-2017-3137)

* A denial of service flaw was found in the way BIND handled query requests when
using DNS64 with “break-dnssec yes” option. A remote attacker could use this
flaw to make named exit unexpectedly with an assertion failure via a specially
crafted DNS request. (CVE-2017-3136)

Red Hat would like to thank ISC for reporting these issues. Upstream
acknowledges Oleg Gorokhov (Yandex) as the original reporter of CVE-2017-3136.

Bugs Fixed

1441125 – CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with “break-dnssec yes;”
1441133 – CVE-2017-3137 bind: Processing a response containing CNAME or DNAME with unusual order can crash resolver

【CESA-2017:0987】An update for qemu-kvm is now available for Red Hat Enterprise Linux 7

CESA-2017:0987

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux
on a variety of architectures. The qemu-kvm packages provide the user-space
component for running virtual machines that use KVM.

Security Fix(es):

* A heap buffer overflow flaw was found in QEMU’s Cirrus CLGD 54xx VGA
emulator’s VNC display driver support; the issue could occur when a VNC client
attempted to update its display after a VGA operation is performed by a guest. A
privileged user/process inside a guest could use this flaw to crash the QEMU
process or, potentially, execute arbitrary code on the host with privileges of
the QEMU process. (CVE-2016-9603)

Bugs Fixed

1430056 – CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection

【CESA-2017:0979】An update for libreoffice is now available for Red Hat Enterprise Linux 6

CESA-2017:0979

An update for libreoffice is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

LibreOffice is an open source, community-developed office productivity suite. It
includes key desktop applications, such as a word processor, a spreadsheet, a
presentation manager, a formula editor, and a drawing program. LibreOffice
replaces OpenOffice and provides a similar but enhanced and extended office
suite.

Security Fix(es):

* It was found that LibreOffice disclosed contents of a file specified in an
embedded object’s preview. An attacker could potentially use this flaw to expose
details of a system running LibreOffice as an online service via a crafted
document. (CVE-2017-3157)

Bugs Fixed

1425844 – CVE-2017-3157 libreoffice: Arbitrary file disclosure in Calc and Writer

【CESA-2017:0933】An update for kernel is now available for Red Hat Enterprise Linux 7

CESA-2017:0933

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

These updated kernel packages include several security issues and numerous bug
fixes. Space precludes documenting all of these bug fixes in this advisory. To
see the complete list of bug fixes, users are directed to the related Knowledge
Article: https://access.redhat.com/articles/2986951.

Security Fix(es):

* A race condition flaw was found in the N_HLDC Linux kernel driver when
accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged
user able to set the HDLC line discipline on the tty device could use this flaw
to increase their privileges on the system. (CVE-2017-2636, Important)

* A flaw was found in the Linux kernel key management subsystem in which a local
attacker could crash the kernel or corrupt the stack and additional memory
(denial of service) by supplying a specially crafted RSA key. This flaw panics
the machine during the verification of the RSA key. (CVE-2016-8650, Moderate)

* A flaw was found in the Linux kernel’s implementation of setsockopt for the
SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace
CAP_NET_ADMIN are able to trigger this call and create a situation in which the
sockets sendbuff data size could be negative. This could adversely affect memory
allocations and create situations where the system could crash or cause memory
corruption. (CVE-2016-9793, Moderate)

* A flaw was found in the Linux kernel’s handling of clearing SELinux attributes
on /proc/pid/attr files. An empty (null) write to this file can crash the system
by causing the system to attempt to access unmapped kernel memory.
(CVE-2017-2618, Moderate)

Red Hat would like to thank Alexander Popov for reporting CVE-2017-2636 and Ralf
Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered
by Paul Moore (Red Hat Engineering).

Bugs Fixed

1395187 – CVE-2016-8650 kernel: Null pointer dereference via keyctl
1402013 – CVE-2016-9793 kernel: Signed overflow for SO_{SND|RCV}BUFFORCE
1419916 – CVE-2017-2618 kernel: Off-by-one error in selinux_setprocattr (/proc/self/attr/fscreate)
1428319 – CVE-2017-2636 kernel: Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release()

【CESA-2017:0935】An update for tomcat is now available for Red Hat Enterprise Linux 7

CESA-2017:0935

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages
(JSP) technologies.

Security Fix(es):

* It was discovered that the code that parsed the HTTP request line permitted
invalid characters. This could be exploited, in conjunction with a proxy that
also permitted the invalid characters but with a different interpretation, to
inject data into the HTTP response. By manipulating the HTTP response the
attacker could poison a web-cache, perform an XSS attack, or obtain sensitive
information from requests other then their own. (CVE-2016-6816)

Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request error when
request contains characters that are not permitted by the HTTP specification to
appear not encoded, even though they were previously accepted. The newly
introduced system property tomcat.util.http.parser.HttpParser.requestTargetAllow
can be used to configure Tomcat to accept curly braces ({ and }) and the pipe
symbol (|) in not encoded form, as these are often used in URLs without being
properly encoded.

* A bug was discovered in the error handling of the send file code for the NIO
HTTP connector. This led to the current Processor object being added to the
Processor cache multiple times allowing information leakage between requests
including, and not limited to, session ID and the response body. (CVE-2016-8745)

Bugs Fixed

1397484 – CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
1403824 – CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing

【CESA-2017:0906】An update for httpd is now available for Red Hat Enterprise Linux 7

CESA-2017:0906

An update for httpd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and
extensible web server.

Security Fix(es):

* It was discovered that the mod_session_crypto module of httpd did not use any
mechanisms to verify integrity of the encrypted session data stored in the
user’s browser. A remote attacker could use this flaw to decrypt and modify
session data using a padding oracle attack. (CVE-2016-0736)

* It was discovered that the mod_auth_digest module of httpd did not properly
check for memory allocation failures. A remote attacker could use this flaw to
cause httpd child processes to repeatedly crash if the server used HTTP digest
authentication. (CVE-2016-2161)

* It was discovered that the HTTP parser in httpd incorrectly allowed certain
characters not permitted by the HTTP protocol specification to appear unencoded
in HTTP request headers. If httpd was used in conjunction with a proxy or
backend server that interpreted those characters differently, a remote attacker
could possibly use this flaw to inject data into HTTP responses, resulting in
proxy cache poisoning. (CVE-2016-8743)

Note: The fix for the CVE-2016-8743 issue causes httpd to return “400 Bad
Request” error to HTTP clients which do not strictly follow HTTP protocol
specification. A newly introduced configuration directive “HttpProtocolOptions
Unsafe” can be used to re-enable the old less strict parsing. However, such
setting also re-introduces the CVE-2016-8743 issue.

Bug Fix(es):

* When waking up child processes during a graceful restart, the httpd parent
process could attempt to open more connections than necessary if a large number
of child processes had been active prior to the restart. Consequently, a
graceful restart could take a long time to complete. With this update, httpd has
been fixed to limit the number of connections opened during a graceful restart
to the number of active children, and the described problem no longer occurs.
(BZ#1420002)

* Previously, httpd running in a container returned the 500 HTTP status code
(Internal Server Error) when a connection to a WebSocket server was closed. As a
consequence, the httpd server failed to deliver the correct HTTP status and data
to a client. With this update, httpd correctly handles all proxied requests to
the WebSocket server, and the described problem no longer occurs. (BZ#1429947)

* In a configuration using LDAP authentication with the mod_authnz_ldap module,
the name set using the AuthLDAPBindDN directive was not correctly used to bind
to the LDAP server for all queries. Consequently, authorization attempts failed.
The LDAP modules have been fixed to ensure the configured name is correctly
bound for LDAP queries, and authorization using LDAP no longer fails.
(BZ#1420047)

Bugs Fixed

1406744 – CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto
1406753 – CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest
1406822 – CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
1420002 – Backport fix for issue with graceful restart taking very long time sometimes
1420047 – AuthLDAPBindDN might not be used for some LDAP searches causing LDAP authz failures
1429947 – Backport: mod_proxy_wstunnel – AH02447: err/hup on backconn

【CESA-2017:0907】An update for util-linux is now available for Red Hat Enterprise Linux 7

CESA-2017:0907

An update for util-linux is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The util-linux packages contain a large variety of low-level system utilities
that are necessary for a Linux system to function. Among others, these include
the fdisk configuration tool and the login program.

Security Fix(es):

* A race condition was found in the way su handled the management of child
processes. A local authenticated attacker could use this flaw to kill other
processes with root privileges under specific conditions. (CVE-2017-2616)

Red Hat would like to thank Tobias Stöckmann for reporting this issue.

Bug Fix(es):

* The “findmnt –target <path>” command prints all file systems where the mount
point directory is <path>. Previously, when used in the chroot environment,
“findmnt –target <path>” incorrectly displayed all mount points. The command
has been fixed so that it now checks the mount point path and returns
information only for the relevant mount point. (BZ#1414481)

Bugs Fixed

1414481 – findmnt –target behaviour changed in 7.3, shows all mount-points in chroot
1418710 – CVE-2017-2616 util-linux: Sending SIGKILL to other processes with root privileges via su