【CESA-2017:0307】最新バージョンのkernelが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました

CESA-2017:0307

最新バージョンのkernelが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* When creating audit records for parameters to executed children processes, an
attacker can convince the Linux kernel audit subsystem can create corrupt
records which may allow an attacker to misrepresent or evade logging of
executing commands. (CVE-2016-6136, Moderate)

* A flaw was found in the Linux kernel’s implementation of the SCTP protocol. A
remote attacker could trigger an out-of-bounds read with an offset of up to 64kB
potentially causing the system to crash. (CVE-2016-9555, Moderate)

Bug Fix(es):

* The qlnic driver previously attempted to fetch pending transmission
descriptors before all writes were complete, which lead to firmware hangs. With
this update, the qlcnic driver has been fixed to complete all writes before the
hardware fetches any pending transmission descriptors. As a result, the firmware
no longer hangs with the qlcnic driver. (BZ#1403143)

* Previously, when a NFS share was mounted, the file-system (FS) cache was
incorrectly enabled even when the “-o fsc” option was not used in the mount
command. Consequently, the cachefilesd service stored files in the NFS share
even when not instructed to by the user. With this update, NFS does not use the
FS cache if not instructed by the “-o fsc” option. As a result, NFS no longer
enables caching if the “-o fsc” option is not used. (BZ#1399172)

* Previously, an NFS client and NFS server got into a NFS4 protocol loop
involving a WRITE action and a NFS4ERR_EXPIRED response when the current_fileid
counter got to the wraparound point by overflowing the value of 32 bits. This
update fixes the NFS server to handle the current_fileid wraparound. As a
result, the described NFS4 protocol loop no longer occurs. (BZ#1399174)

* Previously, certain configurations of the Hewlett Packard Smart Array (HPSA)
devices caused hardware to be set offline incorrectly when the HPSA driver was
expected to wait for existing I/O operations to complete. Consequently, a kernel
panic occurred. This update prevents the described problem. As a result, the
kernel panic no longer occurs. (BZ#1399175)

* Previously, memory corruption by copying data into the wrong memory locations
sometimes occurred, because the __copy_tofrom_user() function was returning
incorrect values. This update fixes the __copy_tofrom_user() function so that it
no longer returns larger values than the number of bytes it was asked to copy.
As a result, memory corruption no longer occurs in he described scenario.
(BZ#1398185)

* Previously, guest virtual machines (VMs) on a Hyper-V server cluster got in
some cases rebooted during the graceful node failover test, because the host
kept sending heartbeat packets independently of guests responding to them. This
update fixes the bug by properly responding to all the heartbeat messages in the
queue, even if they are pending. As a result, guest VMs no longer get rebooted
under the described circumstances. (BZ#1397739)

* When the “punching hole” feature of the fallocate utility was used on an ext4
file system inode with extent depth of 1, the extent tree of the inode sometimes
became corrupted. With this update, the underlying source code has been fixed,
and extent tree corruption no longer occurs in the described situation.
(BZ#1397808)

Bugs Fixed

1353533 – CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments
1397930 – CVE-2016-9555 kernel: Slab out-of-bounds access in sctp_sf_ootb()

【CESA-2017:0309】最新バージョンのqemu-kvmが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました

CESA-2017:0309

最新バージョンのqemu-kvmが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux
on a variety of architectures. The qemu-kvm packages provide the user-space
component for running virtual machines that use KVM.

Security Fix(es):

* Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is
vulnerable to an out-of-bounds access issue. It could occur while copying VGA
data via bitblt copy in backward mode. A privileged user inside a guest could
use this flaw to crash the Qemu process resulting in DoS or potentially execute
arbitrary code on the host with privileges of Qemu process on the host.
(CVE-2017-2615)

* An out-of-bounds read-access flaw was found in the QEMU emulator built with IP
checksum routines. The flaw could occur when computing a TCP/UDP packet’s
checksum, because a QEMU function used the packet’s payload length without
checking against the data buffer’s size. A user inside a guest could use this
flaw to crash the QEMU process (denial of service). (CVE-2016-2857)

Red Hat would like to thank Wjjzhang (Tencent.com Inc.) Li Qiang (360.cn Inc.)
for reporting CVE-2017-2615 and Ling Liu (Qihoo 360 Inc.) for reporting
CVE-2016-2857.

This update also fixes the following bug:

* Previously, rebooting a guest virtual machine more than 128 times in a short
period of time caused the guest to shut down instead of rebooting, because the
virtqueue was not cleaned properly. This update ensures that the virtqueue is
cleaned more reliably, which prevents the described problem from occurring.
(BZ#1408389)

All qemu-kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, shut down all running virtual machines. Once all virtual machines have
shut down, start them again for this update to take effect.

Bugs Fixed

1296567 – CVE-2016-2857 Qemu: net: out of bounds read in net_checksum_calculate()
1408389 – [RHEL6.8.z] KVM guest shuts itself down after 128th reboot
1418200 – CVE-2017-2615 Qemu: display: cirrus: oob access while doing bitblt copy backward mode

【CESA-2017:0293】最新バージョンのkernelが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました

CESA-2017:0293

最新バージョンのkernelが、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* A use-after-free flaw was found in the way the Linux kernel’s Datagram
Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer)
resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set
on the socket. A local, unprivileged user could use this flaw to alter the
kernel memory, allowing them to escalate their privileges on the system.
(CVE-2017-6074, Important)

Bugs Fixed

1423071 – CVE-2017-6074 kernel: use after free in dccp protocol

【CESA-2017:0294】最新バージョンのkernelが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました

CESA-2017:0294

最新バージョンのkernelが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

 

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* A use-after-free flaw was found in the way the Linux kernel’s Datagram
Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer)
resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set
on the socket. A local, unprivileged user could use this flaw to alter the
kernel memory, allowing them to escalate their privileges on the system.
(CVE-2017-6074, Important)

Bugs fixed

1423071 – CVE-2017-6074 kernel: use after free in dccp protocol

【CESA-2017:0190】最新バージョンのfirefoxが、Red Hat Enterprise Linux 5/6/7 からご利用いただけるようになりました

CESA-2017:0190

最新バージョンのfirefoxが、Red Hat Enterprise Linux 5/6/7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

[Updated 21 February 2017]
This advisory has been updated to include Firefox packages for the PPC and S390
architectures that were previously omitted. For this revised update, packages
for all architectures were rebuilt. The rebuilt packages do not contain any new
code changes.

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 45.7.0 ESR.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380,
CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jann Horn, Filipe Gomes, Muneaki Nishimura, Nils, Armin
Razmjou, Christian Holler, Gary Kwong, André Bargull, Jan de Mooij, Tom
Schuster, Oriol, Rh0, Nicolas Grégoire, and Jerri Rice as the original
reporters.

Bugs Fixed

1415924 – CVE-2017-5373 Mozilla: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (MFSA 2017-01)
1416271 – CVE-2017-5375 Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
1416272 – CVE-2017-5376 Mozilla: Use-after-free in XSL (MFSA 2017-02)
1416273 – CVE-2017-5378 Mozilla: Pointer and frame data leakage of Javascript objects (MFSA 2017-02)
1416274 – CVE-2017-5380 Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02)
1416279 – CVE-2017-5390 Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02)
1416280 – CVE-2017-5396 Mozilla: Use-after-free with Media Decoder (MFSA 2017-02)
1416281 – CVE-2017-5383 Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02)
1416282 – CVE-2017-5386 Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02)

【CESA-2017:0286】最新バージョンのopensslが、Red Hat Enterprise Linux 6/7 からご利用いただけるようになりました

CESA-2017:0286

最新バージョンのopensslが、Red Hat Enterprise Linux 6/7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library.

Security Fix(es):

* An integer underflow leading to an out of bounds read flaw was found in
OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit
TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite.
(CVE-2017-3731)

* A denial of service flaw was found in the way the TLS/SSL protocol defined
processing of ALERT packets during a connection handshake. A remote attacker
could use this flaw to make a TLS/SSL server consume an excessive amount of CPU
and fail to accept connections form other clients. (CVE-2016-8610)

Bugs Fixed

1384743 – CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
1416852 – CVE-2017-3731 openssl: Truncated packet could crash via OOB read

【CESA-2017:0276】最新バージョンのbindが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました

CESA-2017:0276

最新バージョンのbindが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND handled query responses
when both DNS64 and RPZ were used. A remote attacker could use this flaw to make
named exit unexpectedly with an assertion failure or a null pointer dereference
via a specially crafted DNS response. (CVE-2017-3135)

Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges
Ramesh Damodaran (Infoblox) and Aliaksandr Shubnik (Infoblox) as the original
reporter.

Bugs Fixed

1420193 – CVE-2017-3135 bind: Assertion failure when using DNS64 and RPZ Can Lead to Crash

【CESA-2017:0269】最新バージョンのjava-1.7.0-openjdkが、Red Hat Enterprise Linux 5/6/7 からご利用いただけるようになりました

CESA-2017:0269

最新バージョンのjava-1.7.0-openjdkが、Red Hat Enterprise Linux 5/6/7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment
and the OpenJDK 7 Java Software Development Kit.

Security Fix(es):

* It was discovered that the RMI registry and DCG implementations in the RMI
component of OpenJDK performed deserialization of untrusted inputs. A remote
attacker could possibly use this flaw to execute arbitrary code with the
privileges of RMI registry or a Java RMI application. (CVE-2017-3241)

This issue was addressed by introducing whitelists of classes that can be
deserialized by RMI registry or DCG. These whitelists can be customized using
the newly introduced sun.rmi.registry.registryFilter and
sun.rmi.transport.dgcFilter security properties.

* Multiple flaws were discovered in the Libraries and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws to
completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289)

* A covert timing channel flaw was found in the DSA implementation in the
Libraries component of OpenJDK. A remote attacker could possibly use this flaw
to extract certain information about the used key via a timing side channel.
(CVE-2016-5548)

* It was discovered that the Libraries component of OpenJDK accepted ECSDA
signatures using non-canonical DER encoding. This could cause a Java application
to accept signature in an incorrect format not accepted by other cryptographic
tools. (CVE-2016-5546)

* It was discovered that the 2D component of OpenJDK performed parsing of iTXt
and zTXt PNG image chunks even when configured to ignore metadata. An attacker
able to make a Java application parse a specially crafted PNG image could cause
the application to consume an excessive amount of memory. (CVE-2017-3253)

* It was discovered that the Libraries component of OpenJDK did not validate the
length of the object identifier read from the DER input before allocating memory
to store the OID. An attacker able to make a Java application decode a specially
crafted DER input could cause the application to consume an excessive amount of
memory. (CVE-2016-5547)

* It was discovered that the JAAS component of OpenJDK did not use the correct
way to extract user DN from the result of the user search LDAP query. A
specially crafted user LDAP entry could cause the application to use an
incorrect DN. (CVE-2017-3252)

* It was discovered that the Networking component of OpenJDK failed to properly
parse user info from the URL. A remote attacker could cause a Java application
to incorrectly parse an attacker supplied URL and interpret it differently from
other applications processing the same URL. (CVE-2016-5552)

* Multiple flaws were found in the Networking components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass certain
Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231)

* A flaw was found in the way the DES/3DES cipher was used as part of the
TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover
some plaintext data by capturing large amounts of encrypted traffic between
TLS/SSL server and client if the communication used a DES/3DES based
ciphersuite. (CVE-2016-2183)

This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to
the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms
security property) so they are only used if connecting TLS/SSL client and server
do not share any other non-legacy cipher suite.

Bugs Fixed

1369383 – CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1413554 – CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344)
1413562 – CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104)
1413583 – CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988)
1413653 – CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147)
1413717 – CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934)
1413764 – CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705)
1413882 – CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223)
1413906 – CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743)
1413911 – CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714)
1413920 – CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728)
1413955 – CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)

【CESA-2017:0254】最新バージョンのspiceが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました

CESA-2017:0254

最新バージョンのspiceが、Red Hat Enterprise Linux 7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The Simple Protocol for Independent Computing Environments (SPICE) is a remote
display system built for virtual environments which allows the user to view a
computing ‘desktop’ environment not only on the machine where it is running, but
from anywhere on the Internet and from a wide variety of machine architectures.

Security Fix(es):

* A vulnerability was discovered in spice in the server’s protocol handling. An
authenticated attacker could send crafted messages to the spice server causing a
heap overflow leading to a crash or possible code execution. (CVE-2016-9577)

* A vulnerability was discovered in spice in the server’s protocol handling. An
attacker able to connect to the spice server could send crafted messages which
would cause the process to crash. (CVE-2016-9578)

These issues were discovered by Frediano Ziglio (Red Hat).

Bugs Fixed

1399566 – CVE-2016-9578 spice: Remote DoS via crafted message
1401603 – CVE-2016-9577 spice: Buffer overflow in main_channel_alloc_msg_rcv_buf when reading large messages

【CESA-2017:0252】最新バージョンのntpが、Red Hat Enterprise Linux 6/7 からご利用いただけるようになりました

CESA-2017:0252

最新バージョンのntpが、Red Hat Enterprise Linux 6/7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The Network Time Protocol (NTP) is used to synchronize a computer’s time with
another referenced time source. These packages include the ntpd service which
continuously adjusts system time and utilities used to query and configure the
ntpd service.

Security Fix(es):

* It was found that when ntp is configured with rate limiting for all
associations the limits are also applied to responses received from its
configured sources. A remote attacker who knows the sources can cause a denial
of service by preventing ntpd from accepting valid responses from its sources.
(CVE-2016-7426)

* A flaw was found in the control mode functionality of ntpd. A remote attacker
could send a crafted control mode packet which could lead to information
disclosure or result in DDoS amplification attacks. (CVE-2016-9310)

* A flaw was found in the way ntpd implemented the trap service. A remote
attacker could send a specially crafted packet to cause a null pointer
dereference that will crash ntpd, resulting in a denial of service.
(CVE-2016-9311)

* A flaw was found in the way ntpd running on a host with multiple network
interfaces handled certain server responses. A remote attacker could use this
flaw which would cause ntpd to not synchronize with the source. (CVE-2016-7429)

* A flaw was found in the way ntpd calculated the root delay. A remote attacker
could send a specially-crafted spoofed packet to cause denial of service or in
some special cases even crash. (CVE-2016-7433)

Bugs Fixed

1397319 – CVE-2016-9310 ntp: Mode 6 unauthenticated trap information disclosure and DDoS vector
1397341 – CVE-2016-7429 ntp: Attack on interface selection
1397345 – CVE-2016-7426 ntp: Client rate limiting and server responses
1397347 – CVE-2016-7433 ntp: Broken initial sync calculations regression
1398350 – CVE-2016-9311 ntp: Null pointer dereference when trap service is enabled