From security em unicamp.br Mon Oct 10 16:48:59 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 10 Oct 2016 16:48:59 -0300 Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003] Message-ID: <20161010194859.GA15555@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Mon, 10 Oct 2016 18:25:58 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003 View online: https://www.drupal.org/psa-2016-003 * Advisory ID: DRUPAL-PSA-2016-003 * Project: Drupal core [1] * Version: 7.x, 8.x * Date: 2016-October-10 * Security risk: 20/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Exploit/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration. This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well. For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site. -------- TO RESOLVE THIS ISSUE: ---------------------------------------------- 1) Configure upload fields that non-trusted visitors, including anonymous visitors, can upload files with, to utilize use the private file system [3]. 2) Ensure cron is properly running on the site. Read about setting up cron for for Drupal 7 [4] or or Drupal 8 [5]). 3) Consider forcing users to create accounts before submitting content. 4) Audit your public file space to make sure that files that are uploaded there are valid. -------- AWARENESS ACKNOWLEDGMENT -------------------------------------------- The Drupal Security Team became aware of the existence and exploits of this issue because the community reported this issue to the security team [6]. As always, if your site has been exploited, even if the cause is a mistake in configuration, the security team is interested in hearing about the nature of the issue. We use these reports to look for trends and broader solutions. -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team * Alex Pott [9] of the Drupal Security Team * David Snopek [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team * Cash Williams [12] of the Drupal Security Team *This post may be updated as more information is learned.* -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/documentation/modules/file#access [4] https://www.drupal.org/docs/7/setting-up-cron/overview [5] https://www.drupal.org/docs/8/setting-up-cron/overview [6] https://www.drupal.org//www.drupal.org/node/101494? [7] https://www.drupal.org/u/mlhess [8] https://www.drupal.org/u/damienmcKenna [9] https://www.drupal.org/u/alexpott [10] https://www.drupal.org/u/dsnopek [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/cashwilliams [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news ----- End forwarded message ----- From security em unicamp.br Tue Oct 18 08:50:25 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 18 Oct 2016 08:50:25 -0200 Subject: [SECURITY-L] [bugzilla@redhat.com: [RHSA-2016:2073-01] Important: openssl security update] Message-ID: <20161018105025.GA17236@unicamp.br> ----- Forwarded message from bugzilla em redhat.com ----- Date: Tue, 18 Oct 2016 07:19:58 +0000 From: bugzilla em redhat.com To: rhsa-announce em redhat.com, enterprise-watch-list em redhat.com Subject: [RHSA-2016:2073-01] Important: openssl security update ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2016:2073-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2073.html Issue date: 2016-10-18 CVE Names: CVE-2016-0799 CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2842 ===================================================================== 1. Summary: An update for openssl is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux HPC Node EUS (v. 6.7) - x86_64 Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.7) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.7) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.7) - i386, ppc64, s390x, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Two integer overflow flaws, leading to buffer overflows, were found in the way the EVP_EncodeUpdate() and EVP_EncryptUpdate() functions of OpenSSL parsed very large amounts of input data. A remote attacker could use these flaws to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105, CVE-2016-2106) * It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2016-2107) * Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application. (CVE-2016-0799, CVE-2016-2842) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-0799. Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, and CVE-2016-0799; and Juraj Somorovsky as the original reporter of CVE-2016-2107. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions 1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.7): Source: openssl-1.0.1e-42.el6_7.5.src.rpm x86_64: openssl-1.0.1e-42.el6_7.5.i686.rpm openssl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.7): x86_64: openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm openssl-devel-1.0.1e-42.el6_7.5.i686.rpm openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.7): Source: openssl-1.0.1e-42.el6_7.5.src.rpm i386: openssl-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-devel-1.0.1e-42.el6_7.5.i686.rpm ppc64: openssl-1.0.1e-42.el6_7.5.ppc.rpm openssl-1.0.1e-42.el6_7.5.ppc64.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.ppc.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm openssl-devel-1.0.1e-42.el6_7.5.ppc.rpm openssl-devel-1.0.1e-42.el6_7.5.ppc64.rpm s390x: openssl-1.0.1e-42.el6_7.5.s390.rpm openssl-1.0.1e-42.el6_7.5.s390x.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.s390.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm openssl-devel-1.0.1e-42.el6_7.5.s390.rpm openssl-devel-1.0.1e-42.el6_7.5.s390x.rpm x86_64: openssl-1.0.1e-42.el6_7.5.i686.rpm openssl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm openssl-devel-1.0.1e-42.el6_7.5.i686.rpm openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.7): i386: openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-perl-1.0.1e-42.el6_7.5.i686.rpm openssl-static-1.0.1e-42.el6_7.5.i686.rpm ppc64: openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm openssl-perl-1.0.1e-42.el6_7.5.ppc64.rpm openssl-static-1.0.1e-42.el6_7.5.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm openssl-perl-1.0.1e-42.el6_7.5.s390x.rpm openssl-static-1.0.1e-42.el6_7.5.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-0799 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2107 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-2842 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce ----- End forwarded message ----- From security em unicamp.br Fri Oct 21 09:05:57 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 21 Oct 2016 09:05:57 -0200 Subject: [SECURITY-L] [bugzilla@redhat.com: [RHSA-2016:2093-01] Important: bind security update] Message-ID: <20161021110557.GA8321@unicamp.br> ----- Forwarded message from bugzilla em redhat.com ----- Date: Thu, 20 Oct 2016 20:46:15 +0000 From: bugzilla em redhat.com To: rhsa-announce em redhat.com, enterprise-watch-list em redhat.com Subject: [RHSA-2016:2093-01] Important: bind security update ===================================================================== Red Hat Security Advisory Synopsis: Important: bind security update Advisory ID: RHSA-2016:2093-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2093.html Issue date: 2016-10-20 CVE Names: CVE-2016-2848 ===================================================================== 1. Summary: An update for bind is now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled packets with malformed options. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS packet. (CVE-2016-2848) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, the BIND daemon (named) will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1385450 - CVE-2016-2848 bind: assertion failure triggered by a packet with malformed options 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: bind-9.3.6-25.P1.el5_11.10.src.rpm i386: bind-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-sdb-9.3.6-25.P1.el5_11.10.i386.rpm bind-utils-9.3.6-25.P1.el5_11.10.i386.rpm x86_64: bind-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-utils-9.3.6-25.P1.el5_11.10.x86_64.rpm Red Hat Enterprise Linux Desktop Workstation (v. 5 client): Source: bind-9.3.6-25.P1.el5_11.10.src.rpm i386: bind-chroot-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.i386.rpm x86_64: bind-chroot-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: bind-9.3.6-25.P1.el5_11.10.src.rpm i386: bind-9.3.6-25.P1.el5_11.10.i386.rpm bind-chroot-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-sdb-9.3.6-25.P1.el5_11.10.i386.rpm bind-utils-9.3.6-25.P1.el5_11.10.i386.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.i386.rpm ia64: bind-9.3.6-25.P1.el5_11.10.ia64.rpm bind-chroot-9.3.6-25.P1.el5_11.10.ia64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.ia64.rpm bind-devel-9.3.6-25.P1.el5_11.10.ia64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.ia64.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.ia64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.ia64.rpm bind-utils-9.3.6-25.P1.el5_11.10.ia64.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.ia64.rpm ppc: bind-9.3.6-25.P1.el5_11.10.ppc.rpm bind-chroot-9.3.6-25.P1.el5_11.10.ppc.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.ppc.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-devel-9.3.6-25.P1.el5_11.10.ppc.rpm bind-devel-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.ppc.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-libs-9.3.6-25.P1.el5_11.10.ppc.rpm bind-libs-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.ppc.rpm bind-utils-9.3.6-25.P1.el5_11.10.ppc.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.ppc.rpm s390x: bind-9.3.6-25.P1.el5_11.10.s390x.rpm bind-chroot-9.3.6-25.P1.el5_11.10.s390x.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.s390.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.s390x.rpm bind-devel-9.3.6-25.P1.el5_11.10.s390.rpm bind-devel-9.3.6-25.P1.el5_11.10.s390x.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.s390.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.s390x.rpm bind-libs-9.3.6-25.P1.el5_11.10.s390.rpm bind-libs-9.3.6-25.P1.el5_11.10.s390x.rpm bind-sdb-9.3.6-25.P1.el5_11.10.s390x.rpm bind-utils-9.3.6-25.P1.el5_11.10.s390x.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.s390x.rpm x86_64: bind-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-chroot-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-utils-9.3.6-25.P1.el5_11.10.x86_64.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm i386: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: bind-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm i386: bind-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.i686.rpm ppc64: bind-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm s390x: bind-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.s390x.rpm x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.i686.rpm ppc64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm s390x: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.s390x.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm i386: bind-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2848 https://access.redhat.com/security/updates/classification/#important https://kb.isc.org/article/AA-01433 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce ----- End forwarded message ----- From security em unicamp.br Tue Oct 25 13:28:53 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 25 Oct 2016 13:28:53 -0200 Subject: [SECURITY-L] Joomla! 3.6.4 Released Message-ID: Joomla! 3.6.4 is now available. This is a security release for the 3.x series of Joomla! which addresses two critical security vulnerabilities and a bug fix for two-factor authentication. We strongly recommend that you update your sites immediately. This release only contains the security fixes and bug fix; no other changes have been made compared to the Joomla! 3.6.3 release. _What's in 3.6.4_ Version 3.6.4 is released to address two critical security issues and a bug regarding two-factor authentication. _Security Issues Fixed_ High Priority - Core - Account Creation (affecting Joomla! 3.4.4 through 3.6.3) High Priority - Core - Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) _Bug Fixes_ [#12497] Two-Factor Authentication encryption fix -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Tue Oct 25 14:31:08 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 25 Oct 2016 14:31:08 -0200 Subject: [SECURITY-L] [marc.deslauriers@canonical.com: [USN-3109-1] MySQL vulnerabilities] Message-ID: <20161025163108.GO21289@unicamp.br> ----- Forwarded message from Marc Deslauriers ----- Date: Tue, 25 Oct 2016 09:36:12 -0400 From: Marc Deslauriers To: ubuntu-security-announce em lists.ubuntu.com Subject: [USN-3109-1] MySQL vulnerabilities ========================================================================== Ubuntu Security Notice USN-3109-1 October 25, 2016 mysql-5.5, mysql-5.7 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.7: MySQL database - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.53 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04 LTS and Ubuntu 16.10 have been updated to MySQL 5.7.16. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-53.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-16.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: mysql-server-5.7 5.7.16-0ubuntu0.16.10.1 Ubuntu 16.04 LTS: mysql-server-5.7 5.7.16-0ubuntu0.16.04.1 Ubuntu 14.04 LTS: mysql-server-5.5 5.5.53-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.53-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3109-1 CVE-2016-5584, CVE-2016-7440 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.16-0ubuntu0.16.10.1 https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.16-0ubuntu0.16.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.53-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.53-0ubuntu0.12.04.1 ----- End forwarded message ----- From security em unicamp.br Wed Oct 26 14:50:14 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 26 Oct 2016 14:50:14 -0200 Subject: [SECURITY-L] [USN-3114-1] nginx vulnerability Message-ID: <20161026165014.GF25066@unicamp.br> ----- Forwarded message from Marc Deslauriers ----- Date: Tue, 25 Oct 2016 15:59:03 -0400 From: Marc Deslauriers To: ubuntu-security-announce em lists.ubuntu.com Subject: [USN-3114-1] nginx vulnerability ========================================================================== Ubuntu Security Notice USN-3114-1 October 25, 2016 nginx vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: The system could be made to run programs as an administrator. Software Description: - nginx: small, powerful, scalable web/proxy server Details: Dawid Golunski discovered that the nginx package incorrectly handled log file permissions. A remote attacker could possibly use this issue to obtain root privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: nginx-common 1.10.1-0ubuntu1.1 nginx-core 1.10.1-0ubuntu1.1 nginx-extras 1.10.1-0ubuntu1.1 nginx-full 1.10.1-0ubuntu1.1 nginx-light 1.10.1-0ubuntu1.1 Ubuntu 16.04 LTS: nginx-common 1.10.0-0ubuntu0.16.04.3 nginx-core 1.10.0-0ubuntu0.16.04.3 nginx-extras 1.10.0-0ubuntu0.16.04.3 nginx-full 1.10.0-0ubuntu0.16.04.3 nginx-light 1.10.0-0ubuntu0.16.04.3 Ubuntu 14.04 LTS: nginx-common 1.4.6-1ubuntu3.6 nginx-core 1.4.6-1ubuntu3.6 nginx-extras 1.4.6-1ubuntu3.6 nginx-full 1.4.6-1ubuntu3.6 nginx-light 1.4.6-1ubuntu3.6 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3114-1 CVE-2016-1247 Package Information: https://launchpad.net/ubuntu/+source/nginx/1.10.1-0ubuntu1.1 https://launchpad.net/ubuntu/+source/nginx/1.10.0-0ubuntu0.16.04.3 https://launchpad.net/ubuntu/+source/nginx/1.4.6-1ubuntu3.6 ----- End forwarded message ----- From security em unicamp.br Mon Oct 31 14:46:13 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Mon, 31 Oct 2016 14:46:13 -0200 Subject: [SECURITY-L] Fwd: [RHSA-2016:2128-01] Important: kernel security and enhancement update In-Reply-To: <201610311607.u9VG7XxO001981@int-mx14.intmail.prod.int.phx2.redhat.com> References: <201610311607.u9VG7XxO001981@int-mx14.intmail.prod.int.phx2.redhat.com> Message-ID: <7a21c253-bf67-26c9-4b7f-4e4cfd62dbdd@unicamp.br> -------- Mensagem encaminhada -------- Assunto: [RHSA-2016:2128-01] Important: kernel security and enhancement update Data: Mon, 31 Oct 2016 16:07:32 +0000 De: bugzilla em redhat.com Para: rhsa-announce em redhat.com, enterprise-watch-list em redhat.com ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and enhancement update Advisory ID: RHSA-2016:2128-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2128.html Issue date: 2016-10-31 CVE Names: CVE-2016-4470 CVE-2016-5195 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 6.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux HPC Node EUS (v. 6.6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.6) - i386, ppc64, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A flaw was found in the Linux kernel's keyring handling code: the key_reject_and_link() function could be forced to free an arbitrary memory block. An attacker could use this flaw to trigger a use-after-free condition on the system, potentially allowing for privilege escalation. (CVE-2016-4470, Important) * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. The CVE-2016-4470 issue was discovered by David Howells (Red Hat). Enhancement(s): * This update fixes a tape write problem by fixing the use of the sas_is_tlr_enabled API in the mpt3sas driver. The driver now checks whether Transport Layer Recovery (TLR) is enabled before enabling the MPI2_SCSIIO_CONTROL_TLR_ON flag. (BZ#1372352) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1341716 - CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path 1384344 - CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.6): Source: kernel-2.6.32-504.54.1.el6.src.rpm noarch: kernel-abi-whitelists-2.6.32-504.54.1.el6.noarch.rpm kernel-doc-2.6.32-504.54.1.el6.noarch.rpm kernel-firmware-2.6.32-504.54.1.el6.noarch.rpm x86_64: kernel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-504.54.1.el6.i686.rpm kernel-debug-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm kernel-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-headers-2.6.32-504.54.1.el6.x86_64.rpm perf-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.6): x86_64: kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.6): Source: kernel-2.6.32-504.54.1.el6.src.rpm i386: kernel-2.6.32-504.54.1.el6.i686.rpm kernel-debug-2.6.32-504.54.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debug-devel-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm kernel-devel-2.6.32-504.54.1.el6.i686.rpm kernel-headers-2.6.32-504.54.1.el6.i686.rpm perf-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-504.54.1.el6.noarch.rpm kernel-doc-2.6.32-504.54.1.el6.noarch.rpm kernel-firmware-2.6.32-504.54.1.el6.noarch.rpm ppc64: kernel-2.6.32-504.54.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-504.54.1.el6.ppc64.rpm kernel-debug-2.6.32-504.54.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-504.54.1.el6.ppc64.rpm kernel-devel-2.6.32-504.54.1.el6.ppc64.rpm kernel-headers-2.6.32-504.54.1.el6.ppc64.rpm perf-2.6.32-504.54.1.el6.ppc64.rpm perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm s390x: kernel-2.6.32-504.54.1.el6.s390x.rpm kernel-debug-2.6.32-504.54.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debug-devel-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-504.54.1.el6.s390x.rpm kernel-devel-2.6.32-504.54.1.el6.s390x.rpm kernel-headers-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-504.54.1.el6.s390x.rpm perf-2.6.32-504.54.1.el6.s390x.rpm perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm x86_64: kernel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-504.54.1.el6.i686.rpm kernel-debug-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm kernel-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-headers-2.6.32-504.54.1.el6.x86_64.rpm perf-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.6): i386: kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-504.54.1.el6.ppc64.rpm perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm python-perf-2.6.32-504.54.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-504.54.1.el6.s390x.rpm perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm python-perf-2.6.32-504.54.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4470 https://access.redhat.com/security/cve/CVE-2016-5195 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/2706661 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce From security em unicamp.br Mon Oct 10 16:49:00 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 10 Oct 2016 19:49:00 -0000 Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003] Message-ID: <20161010194859.GA15555@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Mon, 10 Oct 2016 18:25:58 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003 View online: https://www.drupal.org/psa-2016-003 * Advisory ID: DRUPAL-PSA-2016-003 * Project: Drupal core [1] * Version: 7.x, 8.x * Date: 2016-October-10 * Security risk: 20/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Exploit/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration. This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well. For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site. -------- TO RESOLVE THIS ISSUE: ---------------------------------------------- 1) Configure upload fields that non-trusted visitors, including anonymous visitors, can upload files with, to utilize use the private file system [3]. 2) Ensure cron is properly running on the site. Read about setting up cron for for Drupal 7 [4] or or Drupal 8 [5]). 3) Consider forcing users to create accounts before submitting content. 4) Audit your public file space to make sure that files that are uploaded there are valid. -------- AWARENESS ACKNOWLEDGMENT -------------------------------------------- The Drupal Security Team became aware of the existence and exploits of this issue because the community reported this issue to the security team [6]. As always, if your site has been exploited, even if the cause is a mistake in configuration, the security team is interested in hearing about the nature of the issue. We use these reports to look for trends and broader solutions. -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team * Alex Pott [9] of the Drupal Security Team * David Snopek [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team * Cash Williams [12] of the Drupal Security Team *This post may be updated as more information is learned.* -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/documentation/modules/file#access [4] https://www.drupal.org/docs/7/setting-up-cron/overview [5] https://www.drupal.org/docs/8/setting-up-cron/overview [6] https://www.drupal.org//www.drupal.org/node/101494? [7] https://www.drupal.org/u/mlhess [8] https://www.drupal.org/u/damienmcKenna [9] https://www.drupal.org/u/alexpott [10] https://www.drupal.org/u/dsnopek [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/cashwilliams [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news ----- End forwarded message ----- From security em unicamp.br Tue Oct 18 08:50:26 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 18 Oct 2016 10:50:26 -0000 Subject: [SECURITY-L] [bugzilla@redhat.com: [RHSA-2016:2073-01] Important: openssl security update] Message-ID: <20161018105025.GA17236@unicamp.br> ----- Forwarded message from bugzilla em redhat.com ----- Date: Tue, 18 Oct 2016 07:19:58 +0000 From: bugzilla em redhat.com To: rhsa-announce em redhat.com, enterprise-watch-list em redhat.com Subject: [RHSA-2016:2073-01] Important: openssl security update ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2016:2073-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2073.html Issue date: 2016-10-18 CVE Names: CVE-2016-0799 CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2842 ===================================================================== 1. Summary: An update for openssl is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux HPC Node EUS (v. 6.7) - x86_64 Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.7) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.7) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.7) - i386, ppc64, s390x, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Two integer overflow flaws, leading to buffer overflows, were found in the way the EVP_EncodeUpdate() and EVP_EncryptUpdate() functions of OpenSSL parsed very large amounts of input data. A remote attacker could use these flaws to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105, CVE-2016-2106) * It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2016-2107) * Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application. (CVE-2016-0799, CVE-2016-2842) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-0799. Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, and CVE-2016-0799; and Juraj Somorovsky as the original reporter of CVE-2016-2107. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions 1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.7): Source: openssl-1.0.1e-42.el6_7.5.src.rpm x86_64: openssl-1.0.1e-42.el6_7.5.i686.rpm openssl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.7): x86_64: openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm openssl-devel-1.0.1e-42.el6_7.5.i686.rpm openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.7): Source: openssl-1.0.1e-42.el6_7.5.src.rpm i386: openssl-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-devel-1.0.1e-42.el6_7.5.i686.rpm ppc64: openssl-1.0.1e-42.el6_7.5.ppc.rpm openssl-1.0.1e-42.el6_7.5.ppc64.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.ppc.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm openssl-devel-1.0.1e-42.el6_7.5.ppc.rpm openssl-devel-1.0.1e-42.el6_7.5.ppc64.rpm s390x: openssl-1.0.1e-42.el6_7.5.s390.rpm openssl-1.0.1e-42.el6_7.5.s390x.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.s390.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm openssl-devel-1.0.1e-42.el6_7.5.s390.rpm openssl-devel-1.0.1e-42.el6_7.5.s390x.rpm x86_64: openssl-1.0.1e-42.el6_7.5.i686.rpm openssl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm openssl-devel-1.0.1e-42.el6_7.5.i686.rpm openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.7): i386: openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm openssl-perl-1.0.1e-42.el6_7.5.i686.rpm openssl-static-1.0.1e-42.el6_7.5.i686.rpm ppc64: openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm openssl-perl-1.0.1e-42.el6_7.5.ppc64.rpm openssl-static-1.0.1e-42.el6_7.5.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm openssl-perl-1.0.1e-42.el6_7.5.s390x.rpm openssl-static-1.0.1e-42.el6_7.5.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-0799 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2107 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-2842 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce ----- End forwarded message ----- From security em unicamp.br Fri Oct 21 09:05:58 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 21 Oct 2016 11:05:58 -0000 Subject: [SECURITY-L] [bugzilla@redhat.com: [RHSA-2016:2093-01] Important: bind security update] Message-ID: <20161021110557.GA8321@unicamp.br> ----- Forwarded message from bugzilla em redhat.com ----- Date: Thu, 20 Oct 2016 20:46:15 +0000 From: bugzilla em redhat.com To: rhsa-announce em redhat.com, enterprise-watch-list em redhat.com Subject: [RHSA-2016:2093-01] Important: bind security update ===================================================================== Red Hat Security Advisory Synopsis: Important: bind security update Advisory ID: RHSA-2016:2093-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2093.html Issue date: 2016-10-20 CVE Names: CVE-2016-2848 ===================================================================== 1. Summary: An update for bind is now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled packets with malformed options. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS packet. (CVE-2016-2848) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, the BIND daemon (named) will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1385450 - CVE-2016-2848 bind: assertion failure triggered by a packet with malformed options 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: bind-9.3.6-25.P1.el5_11.10.src.rpm i386: bind-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-sdb-9.3.6-25.P1.el5_11.10.i386.rpm bind-utils-9.3.6-25.P1.el5_11.10.i386.rpm x86_64: bind-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-utils-9.3.6-25.P1.el5_11.10.x86_64.rpm Red Hat Enterprise Linux Desktop Workstation (v. 5 client): Source: bind-9.3.6-25.P1.el5_11.10.src.rpm i386: bind-chroot-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.i386.rpm x86_64: bind-chroot-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: bind-9.3.6-25.P1.el5_11.10.src.rpm i386: bind-9.3.6-25.P1.el5_11.10.i386.rpm bind-chroot-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-sdb-9.3.6-25.P1.el5_11.10.i386.rpm bind-utils-9.3.6-25.P1.el5_11.10.i386.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.i386.rpm ia64: bind-9.3.6-25.P1.el5_11.10.ia64.rpm bind-chroot-9.3.6-25.P1.el5_11.10.ia64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.ia64.rpm bind-devel-9.3.6-25.P1.el5_11.10.ia64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.ia64.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.ia64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.ia64.rpm bind-utils-9.3.6-25.P1.el5_11.10.ia64.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.ia64.rpm ppc: bind-9.3.6-25.P1.el5_11.10.ppc.rpm bind-chroot-9.3.6-25.P1.el5_11.10.ppc.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.ppc.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-devel-9.3.6-25.P1.el5_11.10.ppc.rpm bind-devel-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.ppc.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-libs-9.3.6-25.P1.el5_11.10.ppc.rpm bind-libs-9.3.6-25.P1.el5_11.10.ppc64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.ppc.rpm bind-utils-9.3.6-25.P1.el5_11.10.ppc.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.ppc.rpm s390x: bind-9.3.6-25.P1.el5_11.10.s390x.rpm bind-chroot-9.3.6-25.P1.el5_11.10.s390x.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.s390.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.s390x.rpm bind-devel-9.3.6-25.P1.el5_11.10.s390.rpm bind-devel-9.3.6-25.P1.el5_11.10.s390x.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.s390.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.s390x.rpm bind-libs-9.3.6-25.P1.el5_11.10.s390.rpm bind-libs-9.3.6-25.P1.el5_11.10.s390x.rpm bind-sdb-9.3.6-25.P1.el5_11.10.s390x.rpm bind-utils-9.3.6-25.P1.el5_11.10.s390x.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.s390x.rpm x86_64: bind-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-chroot-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.i386.rpm bind-debuginfo-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm bind-libbind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm bind-libs-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-sdb-9.3.6-25.P1.el5_11.10.x86_64.rpm bind-utils-9.3.6-25.P1.el5_11.10.x86_64.rpm caching-nameserver-9.3.6-25.P1.el5_11.10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm i386: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: bind-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm i386: bind-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.i686.rpm ppc64: bind-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm s390x: bind-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.s390x.rpm x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.i686.rpm ppc64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.ppc.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.ppc64.rpm s390x: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.s390.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.s390x.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.s390x.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: bind-9.8.2-0.47.rc1.el6_8.2.src.rpm i386: bind-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.i686.rpm x86_64: bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-debuginfo-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2848 https://access.redhat.com/security/updates/classification/#important https://kb.isc.org/article/AA-01433 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce ----- End forwarded message ----- From security em unicamp.br Tue Oct 25 13:28:54 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 25 Oct 2016 15:28:54 -0000 Subject: [SECURITY-L] Joomla! 3.6.4 Released Message-ID: Joomla! 3.6.4 is now available. This is a security release for the 3.x series of Joomla! which addresses two critical security vulnerabilities and a bug fix for two-factor authentication. We strongly recommend that you update your sites immediately. This release only contains the security fixes and bug fix; no other changes have been made compared to the Joomla! 3.6.3 release. _What's in 3.6.4_ Version 3.6.4 is released to address two critical security issues and a bug regarding two-factor authentication. _Security Issues Fixed_ High Priority - Core - Account Creation (affecting Joomla! 3.4.4 through 3.6.3) High Priority - Core - Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) _Bug Fixes_ [#12497] Two-Factor Authentication encryption fix -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Tue Oct 25 14:31:09 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 25 Oct 2016 16:31:09 -0000 Subject: [SECURITY-L] [marc.deslauriers@canonical.com: [USN-3109-1] MySQL vulnerabilities] Message-ID: <20161025163108.GO21289@unicamp.br> ----- Forwarded message from Marc Deslauriers ----- Date: Tue, 25 Oct 2016 09:36:12 -0400 From: Marc Deslauriers To: ubuntu-security-announce em lists.ubuntu.com Subject: [USN-3109-1] MySQL vulnerabilities ========================================================================== Ubuntu Security Notice USN-3109-1 October 25, 2016 mysql-5.5, mysql-5.7 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.7: MySQL database - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.53 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04 LTS and Ubuntu 16.10 have been updated to MySQL 5.7.16. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-53.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-16.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: mysql-server-5.7 5.7.16-0ubuntu0.16.10.1 Ubuntu 16.04 LTS: mysql-server-5.7 5.7.16-0ubuntu0.16.04.1 Ubuntu 14.04 LTS: mysql-server-5.5 5.5.53-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.53-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3109-1 CVE-2016-5584, CVE-2016-7440 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.16-0ubuntu0.16.10.1 https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.16-0ubuntu0.16.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.53-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.53-0ubuntu0.12.04.1 ----- End forwarded message ----- From security em unicamp.br Wed Oct 26 14:50:15 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 26 Oct 2016 16:50:15 -0000 Subject: [SECURITY-L] [USN-3114-1] nginx vulnerability Message-ID: <20161026165014.GF25066@unicamp.br> ----- Forwarded message from Marc Deslauriers ----- Date: Tue, 25 Oct 2016 15:59:03 -0400 From: Marc Deslauriers To: ubuntu-security-announce em lists.ubuntu.com Subject: [USN-3114-1] nginx vulnerability ========================================================================== Ubuntu Security Notice USN-3114-1 October 25, 2016 nginx vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: The system could be made to run programs as an administrator. Software Description: - nginx: small, powerful, scalable web/proxy server Details: Dawid Golunski discovered that the nginx package incorrectly handled log file permissions. A remote attacker could possibly use this issue to obtain root privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: nginx-common 1.10.1-0ubuntu1.1 nginx-core 1.10.1-0ubuntu1.1 nginx-extras 1.10.1-0ubuntu1.1 nginx-full 1.10.1-0ubuntu1.1 nginx-light 1.10.1-0ubuntu1.1 Ubuntu 16.04 LTS: nginx-common 1.10.0-0ubuntu0.16.04.3 nginx-core 1.10.0-0ubuntu0.16.04.3 nginx-extras 1.10.0-0ubuntu0.16.04.3 nginx-full 1.10.0-0ubuntu0.16.04.3 nginx-light 1.10.0-0ubuntu0.16.04.3 Ubuntu 14.04 LTS: nginx-common 1.4.6-1ubuntu3.6 nginx-core 1.4.6-1ubuntu3.6 nginx-extras 1.4.6-1ubuntu3.6 nginx-full 1.4.6-1ubuntu3.6 nginx-light 1.4.6-1ubuntu3.6 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3114-1 CVE-2016-1247 Package Information: https://launchpad.net/ubuntu/+source/nginx/1.10.1-0ubuntu1.1 https://launchpad.net/ubuntu/+source/nginx/1.10.0-0ubuntu0.16.04.3 https://launchpad.net/ubuntu/+source/nginx/1.4.6-1ubuntu3.6 ----- End forwarded message ----- From security em unicamp.br Mon Oct 31 14:46:14 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Mon, 31 Oct 2016 16:46:14 -0000 Subject: [SECURITY-L] Fwd: [RHSA-2016:2128-01] Important: kernel security and enhancement update In-Reply-To: <201610311607.u9VG7XxO001981@int-mx14.intmail.prod.int.phx2.redhat.com> References: <201610311607.u9VG7XxO001981@int-mx14.intmail.prod.int.phx2.redhat.com> Message-ID: <7a21c253-bf67-26c9-4b7f-4e4cfd62dbdd@unicamp.br> -------- Mensagem encaminhada -------- Assunto: [RHSA-2016:2128-01] Important: kernel security and enhancement update Data: Mon, 31 Oct 2016 16:07:32 +0000 De: bugzilla em redhat.com Para: rhsa-announce em redhat.com, enterprise-watch-list em redhat.com ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and enhancement update Advisory ID: RHSA-2016:2128-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2128.html Issue date: 2016-10-31 CVE Names: CVE-2016-4470 CVE-2016-5195 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 6.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux HPC Node EUS (v. 6.6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.6) - i386, ppc64, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A flaw was found in the Linux kernel's keyring handling code: the key_reject_and_link() function could be forced to free an arbitrary memory block. An attacker could use this flaw to trigger a use-after-free condition on the system, potentially allowing for privilege escalation. (CVE-2016-4470, Important) * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. The CVE-2016-4470 issue was discovered by David Howells (Red Hat). Enhancement(s): * This update fixes a tape write problem by fixing the use of the sas_is_tlr_enabled API in the mpt3sas driver. The driver now checks whether Transport Layer Recovery (TLR) is enabled before enabling the MPI2_SCSIIO_CONTROL_TLR_ON flag. (BZ#1372352) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1341716 - CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path 1384344 - CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.6): Source: kernel-2.6.32-504.54.1.el6.src.rpm noarch: kernel-abi-whitelists-2.6.32-504.54.1.el6.noarch.rpm kernel-doc-2.6.32-504.54.1.el6.noarch.rpm kernel-firmware-2.6.32-504.54.1.el6.noarch.rpm x86_64: kernel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-504.54.1.el6.i686.rpm kernel-debug-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm kernel-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-headers-2.6.32-504.54.1.el6.x86_64.rpm perf-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.6): x86_64: kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.6): Source: kernel-2.6.32-504.54.1.el6.src.rpm i386: kernel-2.6.32-504.54.1.el6.i686.rpm kernel-debug-2.6.32-504.54.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debug-devel-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm kernel-devel-2.6.32-504.54.1.el6.i686.rpm kernel-headers-2.6.32-504.54.1.el6.i686.rpm perf-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-504.54.1.el6.noarch.rpm kernel-doc-2.6.32-504.54.1.el6.noarch.rpm kernel-firmware-2.6.32-504.54.1.el6.noarch.rpm ppc64: kernel-2.6.32-504.54.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-504.54.1.el6.ppc64.rpm kernel-debug-2.6.32-504.54.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-504.54.1.el6.ppc64.rpm kernel-devel-2.6.32-504.54.1.el6.ppc64.rpm kernel-headers-2.6.32-504.54.1.el6.ppc64.rpm perf-2.6.32-504.54.1.el6.ppc64.rpm perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm s390x: kernel-2.6.32-504.54.1.el6.s390x.rpm kernel-debug-2.6.32-504.54.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debug-devel-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-504.54.1.el6.s390x.rpm kernel-devel-2.6.32-504.54.1.el6.s390x.rpm kernel-headers-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-504.54.1.el6.s390x.rpm perf-2.6.32-504.54.1.el6.s390x.rpm perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm x86_64: kernel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-504.54.1.el6.i686.rpm kernel-debug-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm kernel-devel-2.6.32-504.54.1.el6.x86_64.rpm kernel-headers-2.6.32-504.54.1.el6.x86_64.rpm perf-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.6): i386: kernel-debug-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-2.6.32-504.54.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-504.54.1.el6.i686.rpm perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm python-perf-2.6.32-504.54.1.el6.i686.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-504.54.1.el6.ppc64.rpm perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm python-perf-2.6.32-504.54.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-2.6.32-504.54.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-504.54.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-504.54.1.el6.s390x.rpm perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm python-perf-2.6.32-504.54.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-504.54.1.el6.x86_64.rpm perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm python-perf-2.6.32-504.54.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-504.54.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4470 https://access.redhat.com/security/cve/CVE-2016-5195 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/2706661 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce