Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 4, or 5. Those packages do not include ManageSieve server. This issue has been addressed in perl packages as shipped in Red Hat Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2010-0457.html and Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0458.html. This issue has been addressed in perl packages as shipped in Red Hat Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2010-0457.html and Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0458.html. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5374 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3, 4, or 5. Affected script is not part of the upstream CUPS distribution, but rather an addition used by Debian-based distributions (and possibly others). CUPS packages as shipped in Red Hat Enterprise Linux 5 also provide pstopdf filter. However, that filter is different from the one used in Debian-based distributions, and is unaffected by this flaw. Additionally, all filters used by CUPS on all versions of Red Hat Enterprise Linux are run under an unprivileged &quot;lp&quot; user, making the root privilege escalation mentioned in the published exploit impossible. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. It only affected the Ubuntu Privacy Remix (UPR) kernel. Not vulnerable. This issue did not affect the versions of the util-linux packages (providing /bin/login), as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the PA-RISC architecture. Not vulnerable. This issue did not affect the versions of imap as shipped with Red Hat Enterprise Linux 2.1 and 3, and the versions of libc-client as shipped with Red Hat Enterprise Linux 4 and 5. Not vulnerable. This issue did not affect the version of the rsyslog package, as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the version of the rsyslog package, as shipped with Red Hat Enterprise Linux 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 was fixed via: https://rhn.redhat.com/errata/RHSA-2009-0350.html Red Hat does not consider a crash of a client application such as Konqueror to be a security issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the MIPS architecture. Red Hat does not consider a crash of a client application such as Konqueror to be a security issue. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0264.html Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5. Red Hat does not consider a crash of a client application such as Firefox to be a security issue. Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5. Security update released to address CVE-2008-4405 - https://rhn.redhat.com/errata/RHSA-2009-0003.html - contained correct patch which did not introduce this problem and resolved the original issue. Red Hat does not consider a crash of a client application such as Firefox to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=479966 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of the php package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, and with Red Hat Application Stack v1 and v2. Only PHP version 5.2.7 was affected by this flaw. Red Hat does not consider this bug to be a security issue. For a more detailed explanation, please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5907 Not vulnerable. Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not ship for the SPARC architecture. Red Hat does not consider this bug a security flaw. For more details please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=468990 Remediation: Fixed the vulnerability in Playmemories online version 4.3.1 and the latest version 4.4.0 Red Hat does not consider this to be a security issue. The misbehaviour of CMAN is triggered by corrupted / specially crafted cluster.conf configuration file. Ability to edit this file is restricted to system administrator, therefore no privilege boundary is crossed. This is not a security issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-7002#c7 LogMeIn is aware of the CVE-2008-7053 issue and has resolved it on 9/3/2008. The fix is included in LogMeIn ActiveX Plugin since version 392-G2.” This is not a security issue. A user with read and write access to a file can reasonably be expected to manipulate the contents of the file, including truncating it. Instead of using dba_replace(), a user could simply fopen() the file in write mode, which provides the same end-result. Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of nasm as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 and Red Hat Enterprise MRG. This flaw affects most 64-bit architectures, including IBM S/390 and 64-bit PowerPC, but it does not affect x86_64 or Intel Itanium. The risks associated with fixing this flaw are greater than the security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise MRG is not affected as it is not supported on 64-bit architectures other than x86_64. Not vulnerable. Red Hat does not ship the vulnerable backend that causes this flaw. Red Hat does not consider a crash of a client application such as Firefox to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0003. This issue has been rated as having moderate security impact. A future update in Red Hat Enterprise MRG may address this flaw. This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0146.html and https://rhn.redh at.com/errata/RHSA-2010-0147.html respectively. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or criti cal impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not have support for network namespaces, and did not include upstream commit 483a47d2 that introduced the problem. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0007. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, as it did not include support for ebtables. This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0146.html and https://rhn.redhat.com/errata/RHSA-2010-0147.html respectively. A futur e update in Red Hat Enterprise MRG may address this flaw. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. It did not affect the version of Linux kernel as shipped with Red Hat Enterprise MRG as it has already had the fix to this issue. This was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0146.html and https://rhn.redhat.com/errata/RHSA-2010-9419.html respectively. This issue does not affect the Apache HTTP Server versions 2 and greater. This flaw does not affect any supported versions of Red Hat Enterprise Linux. This flaw does affect Red Hat Network Proxy and Red Hat Network Satellite. While those products do not use this feature, we are tracking the issue with the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0010 Not vulnerable. This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. Red Hat does not consider this to be a security issue. M2Crypto provides python interfaces to multiple OpenSSL functions. Neither of those interfaces is further used by M2Crypto in an insecure way. Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto. Further details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0164 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0179 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux by default does respond to ICMP echo requests, although it’s likely that in a production environment those would be filtered by some firewall on entry to your network. However you can happily block ICMP ping responses using iptables if you so wish, but note that there is no known vulnerability in allowing them. For more details, please see: http://kbase.redhat.com/faq/FAQ_43_4304.shtm Red Hat Enterprise Linux is configured by default to respond to all ICMP requests. Users may configure the firewall to prevent a system from responding to certain ICMP requests. Red Hat does not consider CVE-1999-0997 to be a security vulnerability. The wu-ftpd process chroots itself into the target ftp directory and will only run external commands as the user logged into the ftp server. Because the process chroots itself, an attacker needs a valid login with write access to the ftp server, and even then they could only potentially execute commands as themselves. Fixed in Apache HTTP Server 1.3.2: http://httpd.apache.org/security/vulnerabilities_13.html This issue was originally reported on 3/8/1999 and Seapine fixed the issue on 3/23/1999. This fix became available with the release of TestTrack Workgroup 1.8. We would also like to note that the issue existed in the older TestTrack Workgroup product, which was discontinued in 2002. This problem never existed in the TestTrack Pro product. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 1.3.14: http://httpd.apache.org/security/vulnerabilities_13.html Subsequent releases of Razor address this issue and utilize a more robust encryption mechanism for the Razor password. If you are under maintenance, you have the option of upgrading to a more recent release of Razor at no cost. If you are not under maintenance and want to upgrade then you will need to contact Jennifer Stone at jstone@visible.com. Some additional notes ... - With version 4.1 and above, administrators of Razor may switch and use the local OS authentication instead of Razor’s authentication method. - OS permissions and protections always apply to the artifacts stored in the database. - This notice applies to users that have already logged into the supporting system. This primary means of defense is intact inspite of this particular vulnerability. - The next Razor release (due out in mid-2007) will allow remote UNIX clients to utilize SSH to authenticate the remote user. More information on this release and others may be found on the Visible Systems web site: http://www.visible.com/Products/Razor Please contact Visible Systems Corporation at 1-800-6-VISIBLE if you have additional questions. Fixed in Apache HTTP Server 1.3.14: http://httpd.apache.org/security/vulnerabilities_13.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 1.3.14: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 1.3.12: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 1.3.11: http://httpd.apache.org/security/vulnerabilities_13.html Red Hat Enterprise Linux 2.1 ships with wu-ftp version 2.6.2 which is not vulnerable to this issue. Fixed in Apache HTTP Server 1.3.22: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 1.3.22: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 1.3.22: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 1.3.19: http://httpd.apache.org/security/vulnerabilities_13.html CVE-2001-0935 refers to vulnerabilities found when SUSE did a code audit of the wu-ftpd glob.c file in wu-ftpd 2.6.0. They shared these details with the wu-ftpd upstream authors who clarified that some of the issues did not apply, and all were addressed by the version of glob.c in upstream wu-ftpd 2.6.1. Therefore we believe that the issues labelled as CVE-2001-0935 do not affect wu-ftpd 2.6.1 or later versions and therefore do not affect Red Hat Enterprise Linux 2.1. We include an option, by design, that allows the user to *not* save the password, and instead enter the password on a per FTP session basis. This would provide the highest level of security. If the user decides to have UltraEdit save the FTP password in the INI, it is encrypted for the benefit of the user moving their settings from one system to another. However, even with the highest level of encryption of the saved password, if the user decides to save their password in the INI, there will always be a level of vulnerability as a result of the users decision to save the password. Fixed in Apache HTTP Server 1.3.20: http://httpd.apache.org/security/vulnerabilities_13.html Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This is not a security issue. The mod_usertrack cookies are not designed to be used for authentication. This is a duplicate CVE name and is a combination of CVE-2003-0020 and CVE-2003-0083. Fixed in Apache HTTP Server 1.3.24: http://httpd.apache.org/security/vulnerabilities_13.html XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Red Hat does not intend to take any action on this issue. This is the expected behavior of Mailman and is not considered to be a security flaw by upstream. If Mailman upstream addresses this issue in a future update, we may revisit our decision. Fixed in Apache HTTP Server 2.0.37 and 1.3.26: http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat do not consider this to be a security issue and there are many ways that you can identify or fingerprint a Linux machine. Users that wish to block fingerprinting can use various techniques to disguise their operating system, for example see http://www.infosecwriters.com/text_resources/pdf/nmap.pdf Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 3 or later. This issue did not affect the OpenSSL packages as shipped with Red Hat Enterprise Linux 2.1 as they were not compiled with S/Key or BSD_AUTH support. The upstream patch for this issue and CVE-2002-0640 was included in an errata so that users recompiling OpenSSL with support for those authentication methods would also be protected: https://rhn.redhat.com/errata/RHSA-2002-131.html Fixed in Apache HTTP Server 2.0.40: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.40: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 1.3.27: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 2.0.43 and 1.3.27: http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 1.3.27: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 2.0.43: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.36: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.42: http://httpd.apache.org/security/vulnerabilities_20.html Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4. Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4. Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4. Not vulnerable. This issue did not affect the versions of Apache HTTP server as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162899 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Addressed in 5.1.2 Not vulnerable. This issue did not affect the versions of Mozilla as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue only affects a third-party patch to Cyrus SASL, not distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of Mozilla as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue has been addressed in the latest version of our product, East-Tec Eraser 2007 and you may download it from http://www.east-tec.com Not vulnerable. This issue did not affect the versions of Apache HTTP server as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the versions of Samba as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. We do not believe this is a security vulnerability. This is the documented and expected behaviour of rpm. Not vulnerable. This issue did not affect the RPM packages of OpenOffice as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Fixed in Apache HTTP Server 2.0.44: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.44: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.49 and 1.3.31 http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 2.0.46 and 1.3.26: http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.0.45: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.46: http://httpd.apache.org/security/vulnerabilities_20.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.0.46: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.47: http://httpd.apache.org/security/vulnerabilities_20.html This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it: http://rhn.redhat.com/errata/RHSA-2003-244.html Red Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later. Fixed in Apache HTTP Server 2.0.46: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.47: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.47: http://httpd.apache.org/security/vulnerabilities_20.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 1.3.28: http://httpd.apache.org/security/vulnerabilities_13.html XMB versions 1.9.8 SP2 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Fixed in Apache HTTP Server 2.0.48 and 1.3.29: http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293. The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release. The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a). For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293. The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release. The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a). Not vulnerable. The OpenSSL packages in Red Hat Enterprise Linux 2.1 were not affected by this issue. The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 contain a backported patch since their initial release (openssl), or were not affected by this issue (openssl096b). The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a). Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=114923 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 4. Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux. Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux. Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux. Fixed in Apache HTTP Server 2.0.48: http://httpd.apache.org/security/vulnerabilities_20.html Not affected. Red Hat did not ship iptables-devel or anything else that used these vulnerable functions with Red Hat Enterprise Linux 2.1 or 3. Red Hat Enterprise Linux 4 and 5 contained a backported patch to correct this issue. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1. The PHP packages in Red Hat Enterprise Linux 3 contain a backported patch to address this issue since release. The issue was fixed upstream in PHP 4.3.3. The PHP packages in Red Hat Enterprise Linux 4 and 5 are based on fixed upstream versions. This issue did not affect the versions of Xscreensaver as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Fixed in Apache HTTP Server 1.3.31: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apach HTTP Server 1.3.31: http://httpd.apache.org/security/vulnerabilities_13.html Red Hat Enterprise Linux 5 is not vulnerable to this issue. This is not a vulnerability. When PHP scripts are interpreted using the dynamically loaded mod_php DSO, the PHP interpreter executes with the privileges of the httpd child process. The PHP intepreter does not &quot;sandbox&quot; PHP scripts from the environment in which they run. On any modern Unix system a process can easily obtain access to all the parent file descriptors anyway, even if they have been closed. Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with fvwm, however this issue does not affect the included version of fvwm. Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. The user must voluntarily interact with the attack mechanism to exploit this flaw, with the result being the ability to run code as themselves. Not vulnerable. This issue did not affect the versions of SpamAssassin as shipped with Red Hat Enterprise Linux 3, 4, or 5. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which is in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.0.49: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.49, and 1.3.31: http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Not vulnerable. This issue did not affect Linux. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The DHS advisory is a good source of background information about the issue: http://www.us-cert.gov/cas/techalerts/TA04-111A.html It is important to note that the issue described is a known function of TCP. In order to perform a connection reset an attacker would need to know the source and destination ip address and ports as well as being able to guess the sequence number within the window. These requirements seriously reduce the ability to trigger a connection reset on normal TCP connections. The DHS advisory explains that BGP routing is a specific case where being able to trigger a reset is easier than expected as the end points can be easily determined and large window sizes are used. BGP routing is also signficantly affected by having it’s connections terminated. The major BGP peers have recently switched to requiring md5 signatures which mitigates against this attack. The following article from Linux Weekly News also puts the flaw into context and shows why it does not pose a significant threat: http://lwn.net/Articles/81560/ Red Hat does not have any plans for action regarding this issue. XMB versions 1.9.8 SP2 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ XMB versions 1.9.8 SP2 and later were checked and are not vulnerable. Fixed in Apache HTTP Server 2.0.50: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 1.3.32: http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 2.0.50: http://httpd.apache.org/security/vulnerabilities_20.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.0.51: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.51: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.51: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.51: http://httpd.apache.org/security/vulnerabilities_20.html Not vulnerable. cdrecord is not shipped setuid and does not need to be made setuid with Red Hat Enterprise Linux 2.1, 3, or 4 packages. Fixed in Apache HTTP Server 2.0.51: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.52: http://httpd.apache.org/security/vulnerabilities_20.html Not Vulnerable. This issue only affected Apache 2.0.51, which was not shipped in any version of Red Hat Enterprise Linux. We do not class this as a security issue; this can only cause a denial of service for the attacker. Fixed in Apache HTTP Server 2.0.53: http://httpd.apache.org/security/vulnerabilities_20.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 1.3.33: http://httpd.apache.org/security/vulnerabilities_13.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.0.53: http://httpd.apache.org/security/vulnerabilities_20.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140074 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140058 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. cscope packages shipped with Red Hat Enterprise Linux 3, 4, and 5 contain a backported patch since their first release. This issue is only will only cause a denial of service on the connection the attacker is using. It therefore is not a security issue. Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. There are no known uses of this function which could allow a remote attacker to execute arbitrary code. We do not consider this to be a security issue: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478#c1 We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of mailman shipped with Red Hat Enterprise Linux 2.1, 3, or 4. In addition, we believe this issue does not apply to the 2.0.x versions of mailman due to setting of STEALTH_MODE Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue was resolved in all affected libtiff versions as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 via a patch for CVE-2004-0886. For updates containing patches for CVE-2004-0886, see: https://rhn.redhat.com/errata/CVE-2004-0886.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Upgrade to the latest version of ShixxNOTE 6.net (released December 2006), available from the ShixxNOTE 6.net Web site. http://www.shixxnote.com Permitting TCP forwarding is the expected and known default configuration. If it is not desired, it can disabled using the AllowTcpForwarding option in the /etc/ssh/sshd_config configuration file. However, only disabling TCP forwarding does not improve security unless users are also denied shell access. For more information, see man sshd_config. This CVE is a duplicate (rediscovery) of CVE-2002-0838 The Red Hat Security Response Team rated this issue as having low security impact. This issue affected Red Hat Enterprise Linux 2.1 but due to the low severity will not be fixed. metamail was not shipped in Red Hat Enterprise Linux 3, 4, or 5. Fixed in Apache HTTP Server 2.0.53: http://httpd.apache.org/security/vulnerabilities_20.html As noted in https://docs.xmbforum2.com/index.php?title=Security_Issue_History XMB version 1.9.10 or later must be installed to prevent attacks described by this CVE. All earlier versions of XMB are vulnerable until upgraded. Upgrades are available at https://www.xmbforum2.com/ XMB versions 1.9.8 SP2 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ XMB versions 1.9.8 SP2 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Not vulnerable. These issues did not affect the versions of OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. We did not ship snmpd setuid root in Red Hat Enterprise Linux 2.1, 3, or 4. The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required. For more information please see: http://www.apacheweek.com/issues/03-01-24#news The .htaccess mechanism is only intended to restrict external web access, and a local user already has the privileges to perform the same operations without using ErrorDocument. Red Hat does not consider this to be a security issue. Not vulnerable. This issue did not affect the versions of Samba as distributed with Red Hat Enterprise Linux 3, or 4. Red Hat Enterprise Linux 2.1 shipped with a version of Samba prior to 3.0.6, but we verified by code audit that it is not affected by this issue. XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Not vulnerable. This issue only affected 2.5 STABLE4 and 2.5 STABLE5 versions of Squid and does not affect the versions of Squid distributed with Red Hat Enterprise Linux. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2004-2680 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. The Linux kernel as shipped with with Red Hat Enterprise Linux 2.1, 3, 4 and 5 did not include the Sbus PROM module and therefore are not affected by this issue. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Please see http://kbase.redhat.com/faq/docs/DOC-15379 Not vulnerable. These issues did not affect the versions of htdig as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144263 Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with wu-ftpd, however we were unable to reproduce this issue. Additionally, a code analysis showed that attempts to exploit this issue would be caught in the versions we shipped. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149720 Not vulnerable. This issue did not affect the versions of Cyrus SASL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this a security vulnerability; this is the expected behaviour. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this a security issue, the bug can only manifest if the software is invoked on a sudoers file that is contained in a world writable directory. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This is defined and documented behaviour: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156313 Fixed in Apache HTTP Server 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html Not vulnerable. Adobe told us this issue did not affect the Linux version of Adobe Reader. Red Hat does not consider this to be a vulnerability. htdigest is not supplied setuid or setgid and should not be run from a CGI program. Not vulnerable. This issue did not affect the versions of libtiff as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Based on our research we believe that the &quot;OpenSSL ASN.1 brute forcer.&quot; is actually exploiting flaws CVE-2003-0543, CVE-2003-0544, CVE-2003-0545. Those issues are all addressed in Red Hat Enterprise Linux and therefore CVE-2005-1730 is a duplicate assignment. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158995 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not believe this is a security issue; this is a deliberate circumvention of the Javamail API. The Javamail API provides a comprehensive and secure method to retrieve mail. In this example, the author retreives the message directly from the mail directory on the filesystem. Even if the user insists on using this incorrect way of accessing mail, then the permissions set by the dovecot and tomcat packages are enough to protect against direct access to most of the files listed in the bug report. The OpenSSL Team do not consider this issue to be a practical threat. Conducting an attack such as this has shown to be impractical outside of a controlled lab environment. If the OpenSSL Team decide to produce an update to correct this issue, we will consider including it in a future security update. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164927 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Fixed in Apache 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html This is the documented and expected behaviour of tar. Not vulnerable. These issues did not affect the version of BlueZ as shipped with Red Hat Enterprise Linux 4. As noted in https://docs.xmbforum2.com/index.php?title=Security_Issue_History XMB version 1.9.10 or later must be installed to prevent attacks described by this CVE. All earlier versions of XMB are vulnerable until upgraded. Upgrades are available at https://www.xmbforum2.com/ XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Not vulnerable. This issue did not affect the Linux versions of Mutt. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162681 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP server 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache HTTP Server 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3 or 4. This issue does not affect Red Hat Enterprise Linux 2.1 and 3. This flaw was fixed in Red Hat Enterprise Linux 4 via errata RHSA-2005:527: http://rhn.redhat.com/errata/RHSA-2005-527.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169803 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not consider this to be a security issue: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478#c1 Not vulnerable. These issues did not affect the versions of Mozilla and Firefox as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This issue did not affect the ncompress packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Updated packages to correct this issue are available along with our advisory: http://rhn.redhat.com/errata/CVE-2005-3011.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170518 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. These issues do not affect the versions of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. We do not class this as a security issue as it only allows local users who have the privileges to create .htaccess files the ability to cause a denial of service. Untrusted users should never be given the ability to create .htaccess files. Fixed in Apache HTTP Server 2.2.2, 2.0.58, and 1.3.35: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache HTTP Server 2.2.2 and 2.0.58 http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Not vulnerable. This issue is caused by the way ImageMagick was packaged by Gentoo and does not affect Red Hat Enterprise Linux packages. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This CVE is considered invalid because it duplicates CVE-2005-0885, "XMB versions 1.9.8 and later were checked and are not vulnerable." Upgrades are available at https://www.xmbforum2.com/ XMB versions 1.9.8 SP2 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this to be a security issue. http:bugzilla.redhat.combugzillashow_bug.cgi?id=139478#c1 This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2007-0245.html and in Red Hat Enterprise Linux 3 via https://rhn.redhat.com/errata/RHSA-2010-0145.html. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue: http://rhn.redhat.com/errata/RHSA-2007-0018.html This issue did not affect Red Hat Enterprise Linux 2.1 and 3. This issue did not affect the versions of OpenLDAP as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. 1. The XSS flaw described was only part of the custom implementation of the http://www.polopoly.com/ site. It was never part of any version of any Polopoly product, nor delivered to any of Polopoly’s customers. 2. The XSS flaw that existed (the search form in the upper right corner) on the www.polopoly.com site has been fixed. 3. When www.polopoly.com had the XSS flaw it was based on Polopoly 8.6. Polopoly 9.x was never involved what so ever in this issue. And as I said earlier, the flaw was not part of Polopoly 8.6 either, it was only in custom implementation code of the www.polopoly.com site. 4. The www.polopoly.com site is not personalized nor permission controlled, so there was no information of any value to steal by exploiting the XSS flaw. We are aware of numerous existing script vulnerabilities and exploits and stand by the security of our system and our ability to address these. This particular exploit is not particularly serious as no sensitive or private user information is ever held within cookies during our checkout process. All user information and client information is secure in our platform. We take all security threats quite seriously and view the efforts of the author of this particular exploit as harmful to our professional image. This is especially important to note because the particular script vulnerability that has been raised poses no real threat to the stability or security of our systems. Again, we are formally responding to this posted cross-site script vulnerability to communicate that we take all such potential security issues very seriously and this particular issue has been addressed. In version 7.0.0 of our software, we have addressed the mentioned cross site scripting vulnerabilities. On any page that a form is on, the query string is sanitized to eliminate the vectors outlined in the XSS vulnerability. Form data is handled to protect against a form post from a different site to try and initialize a cross site scripting attacking via a form post. Sensitive data is not stored in session cookies and in the event that a cookie was stolen, it would contain nothing useful for the attacker. Our software is a hosted application, which allows us to make quick remedies as new exploits are found. Also, our system is monitored consistently and alerts are sent to our administrators when any malicious attempt is seen. The details of this alert include the data sent, from what referral and if there is a specific user that is being targeted on our system. This issue did not affect the versions of OpenOffice.org as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178960 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Not vulnerable. This issue did not affect the FreeRADIUS packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the FreeRADIUS packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the Linux glibc. gas (and gcc) make no promise that they are fault tolerant to bad input. We do not plan on producing security updates for Red Hat Enterprise Linux to correct these bugs. gas (and gcc) make no promise that they are fault tolerant to bad input. We do not plan on producing security updates for Red Hat Enterprise Linux to correct these bugs. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2005-4881 This issue has been rated as having moderate security impact. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5, and Red Hat Enterprise MRG. It affects Red Hat Enterprise Linux 3, and 4. It was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2009-1522.html This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ This issue did not affect Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. We do not consider this to be a security issue. http:bugzilla.redhat.combugzillashow_bug.cgi?id=139478#c1 This issue was addressed in Red Hat Enterprise Linux 2.1, 3 and 4: https://rhn.redhat.com/errata/CVE-2006-0225.html https://www.redhat.com/security/data/cve/CVE-2006-0225.html Issue was fixed upstream in version 4.3. The openssh packages in Red Hat Enterprise Linux 5 are based on the fixed upstream version and were not affected by this flaw. Not vulnerable. We verified that this issue does not affect Linux versions of Thunderbird. This issue did not affect the versions of Fetchmail as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This CVE is considered invalid because it provides neither a description nor a version number adequate to identity any vulnerability in XMB. Upgrades are available at https://www.xmbforum2.com/ This issue did not affect the versions of libtiff as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This vulnerability was introduced into the Linux kernel in version 2.6.12 and therefore does not affect users of Red Hat Enterprise Linux 2.1, 3, or 4. This issue only affects parsers which are generated by grammars which either use REJECT or rules with a variable trailing context (in these rules the parser has to keep all backtracking paths). The Red Hat Security Response Team analysed all packages that include flex generated parsers in Red Hat Enterprise Linux (2.1, 3, and 4) and found none were vulnerable. Mandriva has patched the migrationtools since August 2005 to use mktemp so is not vulnerable to this issue. This issue did not affect the versions of PostgreSQL as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 3 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue was fixed for Red Hat Enterprise Linux 4 in the following errata: http://rhn.redhat.com/errata/RHEA-2006-0355.html This issue does not affect Red Hat Enterprise Linux 2 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187945 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3. This issue only affected Dovecot versions 1.0beta1 and 1.0beta2. Red Hat Enterprise Linux 4 shipped with an earlier version of Dovecot and is therefore not vulnerable to this issue. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include log4net. XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ This CVE is considered invalid because it duplicates CVE-2005-3544, "XMB versions 1.9.8 and later were checked and are not vulnerable." Upgrades are available at https://www.xmbforum2.com/ This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1 and 3: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194613 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been fixed for Red Hat Enterprise Linux 4 in RHSA-2006:0544. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. The file is open for view by any user by design. We do not consider it to be a security vulnerability. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188302 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 and 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187385 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3. This issue did not affect the versions of mod_python as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bugs: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193053 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229194 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Not vulnerable. greylistclean.cron is not supplied in the exim packages as distributed with Red Hat Enterprise Linux. WebCalendar v4 has been updated to include fixes that filter the url numeric and date variables in question and prevent non-numeric and non-date values from being passed to the SQL queries. This fixes the problems with the pages in question. http://www.bensonitsolutions.com/Calendar/v4/ This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187900 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Mandriva does not enable the -r option in syslogd per default, which prevents syslogd from listening for remote events. The -x option is also described in /etc/sysconfig/syslog for those who wish to enable the -r option. Red Hat does not consider this to be a security issue. Enabling the -r option is not suggested without the -x option which is clearly documented in the /etc/sysconfig/syslog configuration file. As noted in https://docs.xmbforum2.com/index.php?title=Security_Issue_History XMB version 1.9.10 or later must be installed to prevent attacks described by this CVE. All earlier versions of XMB are vulnerable until upgraded. Upgrades are available at https://www.xmbforum2.com/ Red Hat does not consider this to be a security issue. The FastCGI server is local trusted code and not under the control of an attacker, no trust boundary is crossed. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2050 This issue did not affect the version of bind as shipped with Red Hat Enterprise Linux 5. We do not believe this issue has a security consequence for earlier versions of Red Hat Enterprise Linux. For details please see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192192 Not vulnerable. This issue does not affect the versions of rsync distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue does not affect Red Hat Enterprise Linux 2.1 and 3 This issue was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0848.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. The winbind plugin is not shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue only affected version 4.1.1 and not the versions distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue does not affect the versions of Dovecot distributed with Red Hat Enterprise Linux. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192278 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Not vulnerable. This issue does not affect the versions of LibVNCServer as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue does not affect the versions of cyrus-imapd distributed with Red Hat Enterprise Linux. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue was addressed in libtiff packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 via: https://rhn.redhat.com/errata/RHSA-2006-0603.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This is not an issue that affects users of Red Hat Enterprise Linux. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196255 This issue is not exploitable as the status file is only written to and read by the slurpd process. Therefore this is not a vulnerability that affects Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue does not affect the versions of Evolution as distributed with Red Hat Enterprise Linux. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. We do not ship aRts as setuid root on Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider this a security issue. It is expected behavior that a large input file will cause the processing program to use a large amount of memory. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Unknown: CVE-2006-3018 has been assigned to an issue in PHP where the cause and fix are unknown, and the impact cannot be verified. The source of the CVE assignment was a single line statement in the PHP 5.1.3 release announcement, http://www.php.net/release_5_1_3.php, reading: &quot;Fixed a heap corruption inside the session extension.&quot; Of the changes made to the session extension between releases 5.1.2 and 5.1.3, none would fix a bug matching this description by our analysis. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Adobe told us that this issue does not affect the Linux versions of Adobe Acrobat Reader. This issue did not affect the versions of NetPBM distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue has not been able to be reproduced by upstream or after a Red Hat code review. We therefore do not believe this is a security vulnerability. On Red Hat Enterprise Linux 2.1, 3, 4, and 5 this is a two-byte overflow into the middle of the stack and is not exploitable. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue affects the version of the passwd command from the shadow-utils package. Red Hat Enterprise Linux 2.1, 3, and 4 are not vulnerable to this issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0768.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1, 3, or 5, and Red Hat Application Stack v1 and v2. We do not consider this issue to have security implications, and therefore have no plans to issue MySQL updates for Red Hat Enterprise Linux 2.1, 3, or 4 to correct this issue. Adobe gave a statement that these issues do not affect the Linux versions of Macromedia Flash Player. Adobe gave a statement that these issues do not affect the Linux versions of Macromedia Flash Player. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198912 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This vulnerability does not affect Red Hat Enterprise Linux 2.1 or 3 as they are based on 2.4 kernels. The exploit relies on the kernel supporting the a.out binary format. Red Hat Enterprise Linux 4, Fedora Core 4, and Fedora Core 5 do not support the a.out binary format, causing the exploit to fail. We are not currently aware of any way to exploit this vulnerability if a.out binary format is not enabled. In addition, a default installation of these OS enables SELinux in enforcing mode. SELinux also completely blocks attempts to exploit this issue. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198973#c10 We do not consider a crash of a client application such as Konqueror to be a security issue. We do not consider a user-assisted crash of a client application such as Firefox to be a security issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Fixed in Apache HTTP Server 2.2.3, 2.0.59, and 1.3.37: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html The ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler has added padding to the stack immediately after the buffer being overwritten, this issue can not be exploited, and Apache httpd will continue operating normally. The Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4 binaries for all architectures as shipped by Red Hat and determined that these versions cannot be exploited. This issue does not affect the version of Apache httpd as supplied with Red Hat Enterprise Linux 2.1 This issue is not a security issue in Tomcat itself, but is caused when directory listings are enabled. Details on how to disable directory listings are available at: http://tomcat.apache.org/faq/misc.html#listing This issue does not affect versions of Mikmod 3.2.0-beta2 or prior. Versions of Mikmod distributed with Red Hat Enterprise Linux 2.1, 3, and 4 are based on version 3.1.11 and are therefore not vulnerable to this issue. Fixed in Apache HTTP Server 1.3.35: http://httpd.apache.org/security/vulnerabilities_13.html XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ This issue was corrected in all affected mysql packages versions as shipped in Red Hat Enterprise Linux or Red Hat Application Stack via: https://rhn.redhat.com/errata/CVE-2006-4031.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1 or 3 Not Vulnerable. The version of BIND that ships with Red Hat Enterprise Linux is not vulnerable to this issue as it does not handle signed RR records. Not Vulnerable. This issue was found and fixed as part of Red Hat Enterprise Linux 4 update 4: http://rhn.redhat.com/errata/RHBA-2006-0288.html and Red Hat Enterprise Linux 3 update 8: http://rhn.redhat.com/errata/RHBA-2006-0287.html This issue does not affect Red Hat Enterprise Linux 2.1 LessTif is shipped with Red Hat Enterprise Linux 2.1 but not 3 or 4. On Enterprise Linux 2.1 we build LessTif with debugging disabled, so the DEBUG_FILE environment variable is ignored and this issue cannot be exploited. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Updates to address this issue are available for Red Hat Enterprise Linux 3 and 4: https://rhn.redhat.com/cve/CVE-2006-4146.html Red Hat Enterprise Linux 5 was not vulnerable to this issue as it contained a backported patch. Not Vulnerable. Red Hat does not ship GNU Radius in Red Hat Enterprise Linux 2.1, 3, or 4. XMB versions 1.9.8 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ The issue has been fixed in the latest round of patch released on Oct 15, 2006. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203426 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3 This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Issue was addressed in MySQL packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html Red Hat Enterprise Linux 5 was not vulnerable to this issue as it contained a backported patch since its first release. In Red Hat Enterprise Linux 3 and 4, this issue was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1101.html Red Hat does not consider this flaw a security issue. This flaw is the result of a NULL pointer dereference, which is not exploitable and can only cause a client crash. Texas Imperial Software has tested this issue against current versions of WFTPD and WFTPD Pro, and finds that versions after 3.23 are not vulnerable. Users of WFTPD or WFTPD Pro should update to the most current version in order to address this issue. The update is free to fully registered users unregistered users can download a fresh copy of the shareware version of the application. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Vulnerable. This issue affects OpenSSL and OpenSSL compatibility packages in Red Hat Enterprise Linux 2.1, 3, and 4. Updates, along with our advisory are available at the URL below. http://rhn.redhat.com/errata/RHSA-2006-0661.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this to be a PHP flaw. The problem is caused by the insufficient input validation performed by Zend platform. This flaw causes a crash but does not result in a denial of service against Sendmail and is therefore not a security issue. Not Vulnerable. This issue does not exist in Red Hat Enterprise Linux 2.1 or 3. This issue not exploitable in Red Hat Enterprise Linux 4. A detailed analysis of this issue can be found in the Red Hat Bug Tracking System: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195555 We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This issue did not affect versions of wvWare library included in koffice packages as shipped with Red Hat Enterprise Linux 2.1 Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205826 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204912 This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205651 The Red Hat Security Response Team has rated this issue as having low security impact and expects to release a future update to address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode. This bug will be addressed in a future update of Red Hat Enterprise Linux 4. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php PunBB 1.2.13 has been released to fix this vulnerability. The updated version is available at http://punbb.org/downloads.php. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, and 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue also affects other OS that use NSPR. However, Red Hat does not ship any application linked setuid or setgid against NSPR and therefore is not vulnerable to this issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider this flaw a security issue. This flaw can cause an OpenSSH client to crash when connecting to a malicious server, which does not result in a denial of service condition. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect Red Hat Enterprise Linux 2.1 and 3. This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2007-0703.html and https://rhn.redhat.com/errata/RHSA-2007-0540.html respectively. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210128 This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Red Hat does not consider this issue to be a security vulnerability. We have been in contact with the upstream project regarding this problem and agree that this issue currently poses no security threat. In the event more information becomes available, we will revisit this issue in the future. Red Hat does not consider this issue to be a security vulnerability. We have been in contact with the upstream project regarding this problem and agree that this issue currently poses no security threat. In the event more information becomes available, we will revisit this issue in the future. Not Vulnerable. This flaw only affects kernel versions 2.6.14 to 2.6.18. Red Hat Enterprise Linux 2.1, 3, and 4 does not ship with a vulnerable kernel version. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat has been unable to reproduce this flaw and believes that the reporter was experiencing behavior specific to his environment. We will not be releasing update to address this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211085 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211085 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Not vulnerable. These issues did not affect the versions of libX11 as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213515 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and are tracking it via bug 213214 for Red Hat Enterprise Linux 4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213214 This issue does not affect Red Hat Enterprise Linux 2.1 or 3 Ask_rave 0.9b has been released for immediate download and versions 0.9PR and below have been rendered obsolete. All users using versions 0.9PR and prior are recommended to upgrade their versions immediately. Users can use the following URI to download this new version: http://rave.jk-digital.com/site/scripts/ask.php Red Hat does not consider a user-assisted crash of a client application such as Firefox to be a security issue. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise Linux 2.1 did not ship for PowerPC architecture. Not Vulnerable. The squashfs module is not distributed as part of Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php - Affected AirMagnet Builds: AirMagnet Enterprise 7.5 build 6289 and earlier. - Vulnerability Description: Intruders can execute a script in the Internet Explorer browser using symbols/script in the SSID generated by a fake access point. In the AirMagnet Enterprise system, such a script can be executed from the Sensor webpage or the AirWISE page in the AirMagnet Enterprise Console. This attack will not cause any damage to the AirMagnet Enterprise Server and no data will be lost or stolen. The intruder could potentially impact the performance of the machine running the Enterprise Console software. This is a known vulnerability in Internet Explorer and only works if users have enabled DirectX to execute scripts inside of Internet Explorer. - AirMagnet Solution: Listing SSIDs within quotes (“ “) will fix the problem. Customers should also be encouraged to not allow DirectX scripts in IE. - Fix Availability: Patch currently available on MyAirMagnet. Customers should upgrade to the latest version available on MyAirMagnet. Customers running a version of AirMagnet older than 6.1 must upgrade to version 6.1 before upgrading to the current release. Customers can contact AirMagnet Support to obtain the 6.1 release. - Affected AirMagnet Builds: AirMagnet Enterprise 7.5 build 6289 and earlier. - Vulnerability Description: Intruders can execute a script in the Internet Explorer browser using symbols/script in the SSID generated by a fake access point. In the AirMagnet Enterprise system, such a script can be executed from the Sensor webpage or the AirWISE page in the AirMagnet Enterprise Console. This attack will not cause any damage to the AirMagnet Enterprise Server and no data will be lost or stolen. The intruder could potentially impact the performance of the machine running the Enterprise Console software. This is a known vulnerability in Internet Explorer and only works if users have enabled DirectX to execute scripts inside of Internet Explorer. - AirMagnet Solution: Listing SSIDs within quotes (“ “) will fix the problem. Customers should also be encouraged to not allow DirectX scripts in IE. - Fix Availability: Patch currently available on MyAirMagnet. Customers should upgrade to the latest version available on MyAirMagnet. Customers running a version of AirMagnet older than 6.1 must upgrade to version 6.1 before upgrading to the current release. Customers can contact AirMagnet Support to obtain the 6.1 release. - Affected AirMagnet Builds: AirMagnet Enterprise 7.5 build 6295 and earlier - Vulnerability Description: AirMagnet uses a self signed certificate in the server response that can enable the intruder to attempt a man in the middle attack. The intruder needs to be connected physically to the corporate network and obtain the IP address of a console user before attempting such an attack. The attack can ultimately be used to obtain AirMagnet system user passwords. - AirMagnet Solution: AirMagnet will release a patch to ensure that the console validates the correctly assigned certificate from the server. Customers can limit the risk of this vulnerability by following standard network security practices to ensure that unauthorized personnel do not gain physical access to the protected network. - Fix Availability: Patch currently available on MyAirMagnet. Customers should upgrade to the latest version available on MyAirMagnet. Customers running a version of AirMagnet older than 6.1 must upgrade to version 6.1 before upgrading to the current release. Customers can contact AirMagnet Support to obtain the 6.1 release. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This flaw does not affect the Linux kernel shipped with Red Hat Enterprise Linux 2.1 or 3. This flaw affects the Linux kernel shipped with Red Hat Enterprise Linux 4. We are tracking this flaw via bug 216452: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216452 Fixed in Apache HTTP Server 2.2.6, 2.0.61, and 1.3.39: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it only affects x86_64 architectures. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch at release. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The Drake Team has published an apposite news about the vulnerability: http://sourceforge.net/forum/forum.php?forum_id=636860. It is important to specify that this is an alpha product because it is intended for testers and we already disclaim its usage in production websites through an install notice; we will conduct deep security tests during the beta stage of our development chain. We discontinue the download of each alpha release when a new one is available, so the up-to-date release available at http://sourceforge.net/projects/drakecms is already fixed for the vulnerability. Not Vulnerable. The OpenLDAP versions shipped with Red Hat Enterprise Linux 4 and earlier do not contain the vulnerable code in question. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect Red Hat Enterprise Linux 2.1. This issue was addressed in Red Hat Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2006-0738.html . Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The CVE-2006-5823 is about a corrupted cramfs (MOKB-07-11-2006) that can cause a memory corruption and so crash the machine. For Red Hat Enterpise Linux 3 this issue is tracked via Bugzilla #216960 and for Red Hat Enterprise Linux 4 it is tracked via Bugzilla #216958. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue. This issue has been rated as having low impact, because root privileges or physical access to the machine are needed to mount a corrupted filesystem and crash the machine. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Texas Imperial Software has tested this issue against current versions of WFTPD and WFTPD Pro, and finds that versions after 3.23 are not vulnerable. Users of WFTPD or WFTPD Pro should update to the most current version in order to address this issue. The update is free to fully registered users unregistered users can download a fresh copy of the shareware version of the application. The version 5.1.5 of the abarcar Realty Portal has been discontinued 2003. The version 6.xx has been discontinued beginning 2006. A fix for above versions has been available since that time. As of version 7.0 static pages are created - a parameter for cat.php is no longer used - the routine for news has been dropped and a different routine creating static pages is used - slistl.php never existed in the Realty Portal Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1. This issue did not affect Red Hat Enterprise Linux 3 or 4. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215593 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. The vulnerable code is not used by any application likned with libsoup shipped with Red Hat Enterprise Linux 2.1, 3, and 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with fvwm, however this issue does not affect the included version of fvwm. Not vulnerable. This issue does not affect the versions of fetchmail distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider unexploitable client application crashes to be security flaws. This bug causes a stack recursion crash which is not exploitable. Not vulnerable. This issue did not affect Linux versions of Adobe Reader. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not Vulnerable. The kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 do not contain gfs2 filesystem support. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This flaw was first introduced in gdm version 2.14. Therefore these issues did not affect the earlier versions of gdm as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it for Red Hat Enterprise Linux 4 via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218602 This issue does not affect the version of the Linux kernel shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 ship with versions of Kerberos 5 prior to version 1.4 and are therefore not affected by these vulnerabilities. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Mandriva 2007.0 and earlier ship with Kerberos 5 version 1.4.x and as a result are not vulnerable to these issues. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 ship with versions of Kerberos 5 prior to version 1.4 and are therefore not affected by these vulnerabilities. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider this bug to be a security flaw. In order for this flaw to be exploited, a user would be required to enter shellcode into an interactive GnuPG session. Red Hat considers this to be an unlikely scenario. Red Hat Enterprise Linux 5 contains a backported patch to address this issue. More recent revision AT-TFTPD Server 2.0 does not suffer the listed vulnerability. Only the more recent revision AT-TFTPD Server 2.0 can be found for download from our website, currently via the following link: http://www.alliedtelesis.com/support/software/default.aspx?cid=1&amp;pid=182 Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This issue does not affect the Linux version of Adobe Reader. We do not consider a crash of a client application such as Konqueror or other KFile users to be a security issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. For other versions of Red Hat Enterprise Linux see http://rhn.redhat.com/cve/CVE-2006-6303.html This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit d025c9db that introduced the problem. This upstream commit was backported in Red Hat Enterprise Linux 5 via RHSA-2009:0225. It was later reported and addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html Not vulnerable. This issue does not affect the versions of net-smtp as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not Vulnerable. eEye Research advisory AD20061207 (Intel Network Adapter Driver Local Privilege Escalation) describes a flaw in the Linux Kernel drivers for the e100, e1000, and ixgb Intel network cards. The flaw affects the NDIS miniport drivers and its OID support. The Linux Kernel drivers do not support the NDIS API and the OID concept from Microsoft Windows. Not vulnerable. OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 does not support the LDAP_AUTH_KRBV41 authentication method. Red Hat does not consider this flaw a security issue. This flaw will only crash OpenOffice.org and presents no possibility for arbitrary code execution. Not vulnerable. This issue did not affect the versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221459 We do not consider a crash of a client application such as wget to be a security issue. This flaw was fixed in wget shipped in Red Hat Enterprise Linux 5 before the initial release of the product. Version of wget shipped in Red Hat Enterprise Linux 3 and 4 are affected by this bug. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider a crash of a client application such as KsIRC to be a security issue. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223072 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue can only be exploited if pending signals (ulimit -i) is set to &quot;unlimited&quot;. In case of Red Hat Enterprise Linux version 2.1, 3 and 4 this is not the case and therefore they are not vulnerable to this issue. This issue did not affect the upstream Apache HTTP Server versions. Not vulnerable. This issue was specific to a Debian patch to Apache HTTP Server. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This flaw has been rated as having a low severity by the Red Hat Security Response Team. More information about this rating can be found here: http://www.redhat.com/security/updates/classification/ This flaw is currently being tracked via the following bugs: https://bugzilla.redhat.com/show_bug.cgi?id=231449 https://bugzilla.redhat.com/show_bug.cgi?id=231448 The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode. Not vulnerable. Our testing found that this issue did not affect the versions of Kmail as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. ** DISPUTED ** Sendmail classes the CipherList directive as &quot;for future release&quot;; currently unsupported and undocumented. Therefore the lack of support for the CipherList directive in various Red Hat products is not a vulnerability. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Due to the nature of safe_mode and open_basedir restrictions, and in alignment with the PHP group’s stance on these features, Mandriva does not consider this a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The memory_limit configuration option is used to constrain the amount of memory which a script can consume during execution. If this setting is disabled (or set unreasonably high), it is expected behaviour that scripts will be able to consume large amounts of memory during script execution. The memory_limit setting is enabled by default in all versions of PHP distributed in Red Hat Enterprise Linux and Application Stack. Red Hat does not consider a user assisted client crash such as this to be a security flaw. This issue did not affect the MySQL packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 as they did not support INFORMATION_SCHEMA, introduced in MySQL version 5. MySQL packages as shipped in Red Hat Enterprise Linux 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0364.html The MySQL packages as shipped in Red Hat Application Stack v1 and v2 are based on upstream version which has the fix included. Not vulnerable. This issue did not affect the versions of the xterm package, as shipped with Red Hat Enterprise Linux 3, 4, and 5, and the version of the XFree86 (providing xterm) and hanterm-xf packages, as shipped with Red Hat Enterprise Linux 2.1. Not vulnerable. These issues did not affect the versions of pam as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue is addressed in QuickTime 7.1.5, which was released on March 5. Information on the security fixes provided in QuickTime 7.1.5, and links to obtain the update are provided in: http://docs.info.apple.com/article.html?artnum=305149 Not vulnerable. This issue did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1, 3, 4, or 5: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-0062 This issue is the same as CVE-2007-5365. The affected dhcp versions were fixed via: https://rhn.redhat.com/errata/RHSA-2007-0970.html Not vulnerable. The affected code is in an optional module that is not shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file. The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default. Some implementations of the PDF specification erroneously allow page tree objects that refer back to themselves. As a result, an infinite loop could be created. We believe this could only result in a denial of service against the application. We do not consider a user-assisted DoS of a client application to be a security issue. Not Vulnerable. This flaw is the result of an infinite recursion flaw in xpdf, which cannot result in arbitrary code execution. Information about HTTP Sniffer: The HTTP Sniffer is an in-build proxy server in Acunetix WVS which purpose is to analyse web traffic between a web client (browser) and a web server. By default this tool is not enabled and when enabled it accepts traffic only from the same computer running Acunetix WVS (Localhost). The default TCP port used in 8080. This means that when the HTTP Sniffer is enabled, it is only enabled on the local network interface and no one from the network can access the HTTP Sniffer port. How the exploit works: The exploit works by sending a specially crafted packet containing an invalid Content-Length field in the HTTP header to the TCP port on which the HTTP Sniffer is listening. This causes the application to crash (Denial of Service). Since the HTTP Sniffer component by default is enabled only on the local network interface, it is not possible to take advantage of this exploit remotely. The user has to manually change the listening interface from within the application’s configuration to make the HTTP Sniffer available on the network for this exploit to work remotely. Solution: Upgrade to the latest version of Acunetix WVS (v4.0 build 20060717 or later) Not vulnerable. This issue does not affect the older versions of neon as shipped with Red Hat Enterprise Linux 2.1, 3, and 4. This issue also does not affect the older versions of neon included in the cadaver package. Not vulnerable. This issue does not affect the versions of slocate as shipped with Mandriva Linux 2007.0 or earlier. Not vulnerable. This issue did not affect the versions of slocate as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of libgtop as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This flaw affects Red Hat Enterprise Linux 4 and is being tracked via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249884 Not vulnerable. This issue did not affect Zope included within the conga package shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Texas Imperial Software has tested this issue against current versions of WFTPD and WFTPD Pro, and finds that versions after 3.25 are not vulnerable. Users of WFTPD or WFTPD Pro should update to the most current version in order to address this issue. The update is free to fully registered users unregistered users can download a fresh copy of the shareware version of the application. Due to the nature of safe_mode and open_basedir restrictions, and in alignment with the PHP group’s stance on these features, Mandriva does not consider this a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. These issues did not affect Linux versions of Samba. Not vulnerable. These issues affect the AFS ACL module which is not distributed with Samba in Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234312 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of ISC BIND as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. As noted in https://docs.xmbforum2.com/index.php?title=Security_Issue_History XMB version 1.9.10 or later must be installed to prevent attacks described by this CVE. All earlier versions of XMB are vulnerable until upgraded. Upgrades are available at https://www.xmbforum2.com/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225414 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat does not consider this issue to be a security vulnerability. The user would have to voluntarily interact with the attack mechanism to exploit the flaw, and the result would be the ability to run code as themselves. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228013 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228013 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Red Hat did not ship the incomplete patch for CVE-2006-5456 and is therefore not affected by this issue. Red Hat does not consider this issue to be a security vulnerability. On Red Hat Enterprise Linux processes that change their effective UID do not dump core by default when they receive a fatal signal. Therefore the NULL pointer dereference does not lead to an information leak. Red Hat does not consider this issue to be a security vulnerability. It is correct and expected behavior for xterm not to zero-fill its scrollback buffer upon reception of terminal clear excape sequence. Unusually large strings would crash the display. The bug has been fixed in the following releases: PEBrowse Professional - v8.2.3 PEBrowse Professional Interactive - v8.2.4 PEBrowse Crash-Dump Analyzer - v2.6.8 We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This flaw is a regression of the fix for CVE-2007-0906 affecting PHP version 5.2.1 only which results in any use of str_replace() causing a crash regardless of user input. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue was fixed in php package updates for Red Hat Enterprise Linux and Red Hat Application Stack: http://rhn.redhat.com/cve/CVE-2007-1001.html This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of libevent as shipped with Red Hat Enterprise Linux 5. The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-1199 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The phpinfo function should not be used in publically-accessible PHP scripts. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed. This flaw exists in versions of PHP as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack 1. These issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, Stronghold 4.0, or Red Hat Application Stack 2. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Our previous fixes for CVE-2007-0906 included a patch that also addressed the issue now given CVE name CVE-2007-1380. For a full list of versions that contained a fix for this issue please see: https://rhn.redhat.com/cve/CVE-2007-1380.html Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Red Hat does not consider this to be a security vulnerability. Using import_request_variables() is generally a discouraged practice and it is improper use that can lead to security problems, not flaw of PHP itself. Not vulnerable. The zip extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include Cracklib support. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include mssql support. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include ClibPDF support. Not vulnerable. The php-snmp package as shipped with Red Hat Enterprise Linux 4 and 5 use net-snmp which is not vulnerable to this issue. This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html Not vulnerable. The filter extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. The filter extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. The filter extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. The zip extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include ibase support. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233592 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Mandriva does not consider crashes of client applications such as Konqueror to be a security issue. We do not consider a crash of a client application such as Konqueror to be a security issue. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0907. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0910. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack, and Stronghold 4.0 do not include PHPDoc support. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233581 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has no security impact. Not vulnerable. This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration Not vulnerable. The zip extension was not distributed with PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0906. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. An apposite mailing list (drakecms-security@lists.sourceforge.net) has been created to discuss all publicly disclosed security reports (mostly from National Vulnerability Database and Security Focus); for the valid security reports temporary solutions will be offered even before the official patch release. Specific patches will be released for all critical vulnerabilities (available through the automatic update feature). This vulnerability has been fixed in Drake CMS v0.3.8 Beta, previous versions’ users can update their software directly from the administrative backend. An apposite mailing list (drakecms-security@lists.sourceforge.net) has been created to discuss all publicly disclosed security reports (mostly from National Vulnerability Database and Security Focus); for the valid security reports temporary solutions will be offered even before the official patch release. Specific patches will be released for all critical vulnerabilities (available through the automatic update feature). This vulnerability has been fixed in the upcoming Drake CMS v0.3.9 Beta, previous versions’ users can update their software directly from the administrative backend. Fixed in Apache HTTP Server 2.2.6. http://httpd.apache.org/security/vulnerabilities_22.html Not vulnerable. This issue was specific to httpd version 2.2.4 and did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. Fixed in Apache HTTP Server 2.2.6 and 2.0.61: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0906. We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=mopb#c37 Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Not vulnerable. The filter extension was not shipped in the versions of PHP supplied for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of file as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affected Red Hat Enterprise Linux 4 and 5. Update packages were released to correct it via: http://rhn.redhat.com/errata/RHSA-2009-1471.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236585 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235093 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Mandriva does not consider crashes of client applications such as Konqueror to be a security issue. Not vulnerable. This issue is a flaw in the way Java and Quicktime interact. This issue did not affect Red Hat Enterprise Linux prior to version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Not vulnerable. These issues did not affect the versions of BIND as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. OpenSSH supplied with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not contain S/KEY support. This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007: http://rhn.redhat.com/errata/RHSA-2007-0841.html)on (Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007) This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007: http://rhn.redhat.com/errata/RHSA-2007-0841.html)on (Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007) This issue does not affect lftp as supplied with Red Hat Enterprise Linux 3. This issue was addressed for Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1278.html The Red Hat Security Response Team has rated this issue as having low security impact, a future update to Red Hat Enterprise Linux 4 may address this flaw. Red Hat ship Axis in a number of products; however the installation path of Axis is fixed and deterministic, so this flaw does not disclose otherwise unknown information. We do not plan on issuing updates to fix this issue. Not vulnerable. This flaw is specific to Mac OS X and does not affect any version of Red Hat Enterprise Linux. Red Hat does not consider a user assisted client crash such as this to be a security flaw. Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2448 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Red Hat did not ship GNU locate in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue does not affect the ’mlocate’ or ’slocate’ packages that are supplied with Red Hat Enterprise Linux. This issue did not affect the versions of the the Linux kernel supplied with Red Hat Enterprise Linux 2.1, 3, or 4. For systems based on Red Hat Enterprise Linux 5, this is only an issue for systems without a real time clock, harddrive activity, or user input during boot time. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241718 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or Red Hat Application Stack v2. Updates to correct this issue for Red Hat Enterprise Linux 5, and Red Hat Application Stack v1 are available at http://rhn.redhat.com/cve/CVE-2007-2510.html The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. This bug described in CVE-2007-2511 can only be triggered by a script author since no trust boundary is crossed, this issue is not treated as security-sensitive. Installation of a PEAR package from an untrusted source could allow malicious code to be installed and potentially executed by the root user. This is true regardless of the existence of this particular bug in the PEAR installer, so the bug would not be treated as security-sensitive. As when handling system RPM packages, the root user must always ensure that any packages installed are from a trusted source and have been packaged correctly. This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html An apposite mailing list (drakecms-security@lists.sourceforge.net) has been created to discuss all publicly disclosed security reports (mostly from National Vulnerability Database and Security Focus); for the valid security reports temporary solutions will be offered even before the official patch release. Specific patches will be released for all critical vulnerabilities (available through the automatic update feature). This vulnerability has been fixed in the upcoming Drake CMS v0.4.1 Beta, previous versions’ users can update their software directly from the administrative backend. Cumulative patches will also be available in the project downloads area. References to Advisories, Solutions, and Tools -&gt; http://drakecms.sourceforge.net/ (official vendor website) will soon contain news about the security vulnerabilities and the released patches. Red Hat does not consider this flaw to have security consequences. For more details please see the following: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240055 Updates for Red Hat Enterprise Linux are available from http://rhn.redhat.com/errata/RHSA-2007-0386.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2691 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3 and 4. Affected mysql packages as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack were fixed via: https://rhn.redhat.com/errata/CVE-2007-2692.html Not vulnerable. These issues did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of ghostscript as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5 as they do not include a bundled JasPer library. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack 1, or 2, as the packages shipped are not compiled with the mcrypt extension affected by this issue. Not vulnerable. This issue did not affect the versions of lcms as shipped with Red Hat Enterprise Linux 5. We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed. This flaw exists in versions of PHP as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack 1. These issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or Red Hat Application Stack 2. Red Hat does not consider this flaw to be a security vulnerability. We are not aware of any long running processes using libgd which could not recover from this condition. Not vulnerable. OPIE for PAM is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat does not consider a user-assisted crash of a user application such as Emacs to be a security issue. Not vulnerable. PHP is not built or supported in a multi-threaded environment in the packages distributed in Red Hat Enterprise Linux or Application Stack. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2872 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issu did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Updates are available for Red Hat Enterprise Linux 2.1, 3, 4, and 5 to correct this issue: http://rhn.redhat.com/errata/RHSA-2007-0740.html Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248542 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect version of Sylpheed as shipped with Red Hat Enterprise Linux 2.1. Sylpheed and claws-mail are not shipped with Red Hat Enterprise Linux 3, 4, or 5. I am pleased to inform you that we have released an update (version 2.0.05) which addresses this issue. All 8e6 customers with a current license will automatically download this update, and can install it once the download is complete. This update was placed on our update servers on Thu Jul 5 16:32:57 PDT 2007. Further information can be found at: http://www.8e6.com/products/R3000/patches/r3000_patches.htm These tests preported to be discussed were reported falsely and were based upon an old unreleased flashy marketing created demonstration of the product and not using any &quot;officially&quot; released version of the software distributed to any customers. This information was explained with the reporting party and they chose to ignore it. ComCity has attempted to reproduce the reported issue using the SQL injection strings and a variety of other SQL injection strings and cannot reproduce the vulnerability on its currently released software. In addition, the version of the software preported to be affected by this technique is no longer sold or even supported by ComCity and was discontinued nearly a year ago and replaced with a ASP.NET version. However, we have attempted to reproduce this technique in this old, unsupported release of software that used ASP as well, and cannot reproduce it. It is difficult to combat all combinations of SQL Injections through simple sanitation so ComCity discontinued these older ASP based products nearly a year ago. ASP.NET is less susceptible to SQL Injection and we have informed our customers that the continued use of ASP in the current Internet security climate is unadvisable. We advise all customers to upgrade to the latest products. We welcome any report or finding that will help us improve or discover issues unknown to us. However, the code in question does santize SQL injections and this entire report is inaccurate and was used in conjunction with an extortion request by a 3rd party company solicitating its services. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required. For more information please see: http://www.apacheweek.com/issues/03-01-24#news This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. This paper describes a possible side-channel attack that hasn’t been proven outside of a lab environment. In reality many factors would make this harder to exploit. If exploited, a local user could obtain RSA private keys (for example for web sites being run on the server). We have rated this as affecting Red Hat products with moderate security severity. Although the OpenSSL team have produced a patch for this issue, it is non-trivial and will require more testing before we can deploy it in a future update. Our current plan is as follows: - To include a backported fix in an OpenSSL update as part of Enterprise Linux 4.6. This will get testing via beta and give time for more extensive internal and upstream testing - To release an update for OpenSSL for other platforms at the same time as 4.6 is released http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3108 Mandriva does not consider a user-assisted crash of an end-user application such as the GIMP to be a security issue. Red Hat does not consider a user-assisted crash of a user application such as GIMP to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252169 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Mozilla is no longer shipped as part of any version of Red Hat Enterprise Linux. Mozilla was replaced by SeaMonkey in Red Hat Enterprise Linux by SeaMonkey which is not affected by this issue. Not vulnerable. Versions of sudo package shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 are linked with PAM support and never use libkrb5 authentication. This is not a security vulnerability: it is the expected behaviour of parse_str when used without a second parameter. Red Hat does not consider this do be a security issue. dblink is disabled in default configuration of PostgreSQL packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5, and it is a configuration decision whether to grant local users arbitrary access. Fixes to correct this bug were included in PostgreSQL updates: http:rhn.redhat.comcveCVE-2007-3278.html Red Hat does not consider this do be a security issue. Creating functions is intended feature of the PL/pgSQL language and is definitely not a security problem. Weak passwords are generally more likely to be guessed with brute force attacks and choosing a strong password according to good practices is considered to be a sufficent protection against this kind of attack. Red Hat does not consider this do be a security issue. The ability of the superuser to execute code on behalf of the database server is an intended feature and imposes no security threat as the superuser account is restricted to the database administrator. Not vulnerable. PHP is not complied with the tidy library as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack v1 or v2. In the security model used by Apache httpd, the less-privileged child processes completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design. Such users will also be able to &quot;simulate&quot; server load and force the parent to create children up to the configured limits, by design. A server with untrusted local users must be configured to use a solution like &quot;suexec&quot; if its required to allow the users to execute CGI (etc) scripts. Not a vulnerability. In the security model used by Apache httpd, the less-privileged child processes (running as the &quot;apache&quot; user) completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design. Such users will also be able to &quot;simulate&quot; server load and force the parent to create children up to the configured limits, by design. Fixed in Apache HTTP Server 2.2.6, 2.0.61, and 1.3.39: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Not vulnerable. This issue did not affect the versions of avahi as shipped with Red Hat Enterprise Linux 5. Not vulnerable, Red Hat do not ship the Lhaca file archiver. Note that an identical flaw was found affecting the lha file archiver in 2004, CVE-2004-0234. This issue was corrected by security update RHSA-2004:178 for Red Hat Enterprise Linux 2.1 and 3. Red Hat Enterprise Linux 4 was not vulnerable as it contained a backported patch to correct this issue from release. http://rhn.redhat.com/errata/RHSA-2004-178.html We do not consider this to be security issues. For more details see: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3472 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3473 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1 or 3 as they did not offer GIF image support. We do not plan to backport a fix for this issue to the gd packages as shipped in Red Hat Enterprise Linux 4 and 5 due to the low likelihood of an application affected by this problem being exposed in a way that would allow a trust boundary to be crossed. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3475 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3476 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Due to the minimal impact of this flaw (temporary DoS by high CPU usage) and low likelihood of this problem being exposed in a way that would allow trust boundary crossing, we currently do not plan to backport a fix for this issue to the versions of gd as shipped in Red Hat Enterprise Linux 2.1, 3, 4 or 5. We currently do not plan to backport a fix for this issue to gd packages in current versions of Red Hat Enterprise Linux 2.1, 3, 4, and 5 due to the low likelihood of and application affected by this problem being exposed in a way that would allow trust boundary to be crossed. Not vulnerable. These issues did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Based on the analysis of Red Hat and several Glibc developers, Mandriva does not believe this to be exploitable. After careful analysis by Red Hat and several Glibc developers, it has been determined that this bug is not exploitable. For more information please see Red Hat Bugzilla bug #247208 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247208 This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. The curl packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 are not linked against the gnutls library. Mandriva does not consider bugs which result in a user-assisted crash of end user applications to be a security issue. Red Hat does not consider bugs which result in a user-assisted crash of end user application to be a security issue. Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux. Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux. Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux. Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having moderate security impact. The risks associated with fixing this bug are greater than the moderate severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG. Not vulnerable. libsilc was not shipped with Enterprise Linux 2.1 or 3. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4 or 5. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248553 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248553 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This flaw is specific to PHP on Windows. This issue does not affect the version of tcpdump shipped in Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250275 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3799 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue only affected PHP on Windows platforms. This issue did not affect Red Hat Enterprise Linux 2.1 or 3. For Red Hat Enterprise Linux 4 and 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248537 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250648 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux. Fixed in Apache HTTP Server 2.2.6 and 2.0.61: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=251200 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3919 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue affected Red Hat Enterprise Linux 5 with a low security impact. An update to the compiz package was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0485.html Red Hat does not consider a user assisted client crash such as this to be a security flaw. Not vulnerable. fsplib is part of gftp in Red Hat Enterprise Linux 5, but this issue does not affect Linux. Due to the nature of safe_mode and open_basedir restrictions, and in alignment with the PHP group’s stance on these features, Mandriva does not consider this a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1. Not vulnerable. Versions of PHP packages as shipped with current Red Hat products are not linked with t1lib. Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux. Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux. The CVE description for this bug is incorrect. The backported patch for CVE-2007-2447 missed the character ’c’ in the shell escaping whitelist of allowed characters, therefore not allowing commands with a ’c’ in them to be executed. This is therefore a regression bug and not a security vulnerability. The Red Hat Security Response Team has rated this issue as having low security impact. Updates to correct this are available: https://rhn.redhat.com/cve/CVE-2007-4045.html Not vulnerable. This is a rediscovery and therefore a duplicate of CVE-2000-1205 which was corrected in upstream Apache httpd 1.3.11. Not vulnerable. This flaw did not affect Red Hat Enterprise Linux 2.1, 3, or 4 due to the version of rsync. This flaw does exist in Red Hat Enterprise Linux 5, but due to the nature of the flaw it is not exploitable with any security consequence due to stack-protector. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=251708 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Not vulnerable. These issues did not affect the versions of konqueror as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Mandriva does not consider crashes of client applications such as Konqueror to be a security issue. Red Hat does not consider a crash of a client application such as Konqueror to be a security flaw. The version on which this vulnerability has been detected is a pre-release (non-commercial) version of the OneWallet platform. The current version of the product does not have the vulnerability in question (namely, XSS TYPE 1). C-SAM takes utmost care in ensuring the security of its products and will proactively release patches from time to time to address such issues. The isChecked vulnerability with the Advanced Searchbar has been patched/repaired in the newest version 3.33 http://www.advancedsearchbar.com/asbsetup.exe This issue crashes OpenOffice.org only if a user opens a malicious document. Mandriva does not consider this a security issue. Red Hat does not consider this flaw a security issue. This flaw will only crash OpenOffice.org if a victim opens a malicious document. Not vulnerable. PHP packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4, and 5 are not compiled with msql library and are not vulnerable to this issue. Vulnerable. This issue affected the CUPS packages in Red Hat Enterprise Linux 5. This issue also affected the versions of CUPS packages in Red Hat Enterprise Linux 3 and 4, but exploitation would only lead to a possible denial of service. Updates are available from https://rhn.redhat.com/cve/CVE-2007-4351.html The Apache security team believe that this issue is due to web browsers that are violating RFC2616. However, Apache 2.2.6 and 2.0.61 add a workaround for such browsers by adding Type and Charset options to IndexOptions directive. This allows a site administrator to explicitly set the content-type and charset of the generated directory index page. This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the &quot;AddDefaultCharset&quot; directive and are using directory indexes. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4465 This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0141.html for tar. It did not affect the version of tar as shipped with Red Hat Enterprise Linux 3. This issue was also addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0144.html for cpio. It did not affect the version of cpio as shipped with Red Hat Enterprise Linux 3 and 4. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack 1. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=263261 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue was addressed in fetchmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 via: https://rhn.redhat.com/errata/RHSA-2009-1427.html This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit a11d206d that introduced the problem. This upstream commit was backported in Red Hat Enterprise Linux 5 via RHBA-2008:0314. It was reported and addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0019.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4568 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. This issue affected users who were running 64-bit versions of Red Hat Enterprise Linux 3, 4, or 5 on x86_64 architecture. It did not affect users of Red Hat Enterprise Linux 2.1. Updates are available for Red Hat Enterprise Linux 3, 4, and 5 to correct this issue. New kernel packages along with our advisory are available at the URL below as well as via the Red Hat Network. http://rhn.redhat.com/errata/CVE-2007-4573.html Not vulnerable. This issue did not affect the version of IrcII as shipped with Red Hat Enterprise Linux 2.1. IrcII was not shipped in Enterprise Linux 3, 4, or 5. Due to the nature of safe_mode and open_basedir restrictions, and in alignment with the PHP group’s stance on these features, Mandriva does not consider this a security issue. Not vulnerable. This issue did not affect the versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary. Not vulnerable. This issue was specific to a patch from Debian project and did not affect versions of tcp_wrappers packages as shipped with Red Hat Enterprise Linux. Due to the nature of safe_mode and open_basedir restrictions, and in alignment with the PHP group’s stance on these features, Mandriva does not consider this a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The only effect of this bug is to cause the process to read from a random segment of memory, if a large &quot;length&quot; parameter is passed to the strspn/strcspn function, which is under the control of the script author. This bug has no security impact. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Application Stack v1. Not vulnerable. Red Hat did not include an incomplete fix for CVE-2007-2872 for PHP in Red Hat Enterprise Linux or Red Hat Application Stack. For more details, see: https://bugzilla.redhat.com/show_bug.cgi?id=278161#c5 Not vulnerable. Mandriva has not issued an update to date to fix CVE-2007-2872 and the updates in progress are using a correct fix. Not vulnerable. Red Hat did not include an incomplete fix for CVE-2007-2872 for PHP in Red Hat Enterprise Linux or Red Hat Application Stack. This bug can only be triggered by supplying a non-default openssl.conf configuration file, which is entirely under the control of the script author or server administrator, and hence is not a security issue. Due to the nature of safe_mode and open_basedir restrictions, and in alignment with the PHP group’s stance on these features, Mandriva does not consider this a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Duplicate of CVE-2007-6113. This name is a duplicate of CVE-2006-7196. This issue was fixed in Apache Tomcat 4.1.32 and 5.5.16. This flaw was fixed for Red Hat Enterprise Linux 4 in RHSA-2007-0898: https://rhn.redhat.com/errata/RHSA-2007-0898.html Red Hat Enterprise Linux 5 is not affected by this flaw. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=285991 Red Hat Enterprise Linux 2.1 and 3 do not support the composite extension and are not vulnerable to this flaw. This issue did not affect the OpenSSH packages as distributed with Red Hat Enterprise Linux 2.1 or 3, as they do not support Trusted X11 forwarding. For Red Hat Enterprise Linux 4 and 5, this issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0855.html We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=285691 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This flaw does not affect the Linux version of Firefox. Not vulnerable. There is no support for jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 2.1 or 3. There is no ACL support for jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 4 or 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Because the argument passed to the dl() function are always under the control of the author, Mandriva does not consider this a security issue. The argument passed to the dl() function must always be under the control of the script author. We therefore do not consider this to be a security issue. Due to the nature of safe_mode and open_basedir restrictions, and in alignment with the PHP group’s stance on these features, Mandriva does not consider this a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider a crash of a client application such as RealPlayer or Helix Player to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=295971 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Note: As the address of the overwritten byte is not under attacker’s control, the worst impact his bug could have is an application crash. It can not be exploited to execute arbitrary code. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4990 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. An update to correct this issue for Enterprise Linux 5 is available. http://rhn.redhat.com/cve/CVE-2007-4995.html Please note that the CVE description is incorrect, this issue did not affect upstream versions of OpenSSL prior to 0.9.8. Not vulnerable. These issues did not affect the versions of Pidgin or Gaim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affects the busybox package in Red Hat Enterprise Linux 2.1, 3, 4, and 5, This issue affects the fileutils package in Red Hat Enterprise Linux 2.1. This issue affects the coreutils package in Red Hat Enterprise Linux 3. The coreutils package in Red Hat Enterprise Linux 4 and 5 are not vulnerable to this issue. Given this issue has minimal risk we do not intend to issues updates to correct this issue in affected versions of Red Hat Enterprise Linux. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=356471 Not vulnerable. This issue did not affect the versions of Pidgin or Gaim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Fixed in Apache HTTP Server 2.2.8, 2.0.63, and 1.3.41: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html Not vulnerable. This issue did not affect version of balsa as shipped with Red Hat Enterprise Linux 2.1. According to Abobe this issue affects only the Windows platform and therefore does not affect Adobe Acrobat Reader as distributed with Red Hat Enterprise Linux Extras. http://www.adobe.com/support/security/advisories/apsa07-04.html Not vulnerable. These issues did not affect the versions of Firefox as shipped with Red Hat Enterprise Linux. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181302 An update has been released which resolves this issue: http://rhn.redhat.com/errata/RHSA-2010-0657.html Not vulnerable. This issue did not affect the versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary. This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007: http://rhn.redhat.com/errata/RHSA-2007-0841.html)on (Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007) Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5137 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Updates are available to address this issue: https://rhn.redhat.com/errata/RHSA-2007-0969.html Not vulnerable. These issues do not affect Linux versions of Sun JDK or JRE. Not vulnerable. These issues did not affect the versions of Sun JDK as shipped with Red Hat Enterprise Linux Extras 4 or 5. Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Pegasus Imaging acknowledges these issues as affecting our controls in the same way that they affect any ActiveX control that allows files to be saved to absolute directory paths. We’re working on reducing the vulnerabilities of these issues and will publish additional information when available at www.pegasusimaging.com/faq.htm. In the meantime we recommend that users follow the Microsoft guidelines for reducing the vulnerability by increasing their browser security settings for ActiveX controls. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5333 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360 Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 did not include the Tramp extension with Emacs. The version of Tramp included with Emacs in Red Hat Enterprise Linux 5 was not vulnerable to this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5378 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat does not consider this to be a security issue. The function behaves as documented. Furthermore, the function shouldn’t be considered a security feature, for reasons described at https://bugzilla.redhat.com/show_bug.cgi?id=332451#c3 and http://www.php.net/security-note.php Not vulnerable. The versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not support GSS-TSIG and are not linked with libgssapi library. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This vulnerability only affected the OpenSSL FIPS Object Module which is not enabled or used by OpenSSL in Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 and 4 Extras or with Red Hat Enterprise Linux 5 Supplementary. Not vulnerable. These issues did not affect PHP on Linux. Not vulnerable. This issue did not affect the versions of OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5729 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect versions of plone included in conga/luci packages as shipped with Red Hat Enterprise Linux 5 or Red Hat Cluster Suite for Red Hat Enterprise Linux 4. Red Hat does not consider a user assisted client crash such as this to be a security flaw. Not vulnerable. This issue did not affect versions of Emacs as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of geronimo-specs packages as shipped Red Hat Enterprise Linux 5, Red Hat Application Stack, Red Hat Application Server, Red Hat Directory Server and Red Hat Certificate System, as the geronimo-specs package only contains the specification of the Apache Geronimo Server’s services and interfaces and not the vulnerable J2EE server classes. Not vulnerable. After a detailed analysis of this flaw, it has been determined that it is not exploitable on Red Hat Enterprise Linux 3, 4, or 5. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=415141 Not vulnerable. This flaw does not affect the version of CUPS shipped in Red Hat Enterprise Linux 3 or 4. After a detailed analysis of this flaw, it has been determined it does not pose a security threat on Red Hat Enterprise Linux 5. For more details regarding this analysis, please see: https://bugzilla.redhat.com/show_bug.cgi?id=415131 This issue is not a vulnerability, for more information see http://marc.info/?m=119743235325151 Red Hat does not consider this flaw a security issue. This flaw is not exploitable and can only cause a client to stop responding or crash. This issue was fixed in all affected PHP versions shipped in Red Hat products. For list of security advisories, visit: https://rhn.redhat.com/errata/CVE-2007-5898.html The PHP interpreter does not offer a reliable &quot;sandboxed&quot; security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5901 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue is not a practical vulnerability, for more information see http://marc.info/?m=119743235325151 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5935 This issue has been addressed in RHSA-2010:0399 and RHSA-2010:0401. Not vulnerable. teTeX is packaged without the dviljk binary in Red Hat Enterprise Linux, making it impossible to exploit this flaw. We are however including this fix in RHSA-2010:0399, RHSA-2010:0400, and RHSA-2010:0401 in the event the binary is shipped in the future. Not vulnerable. teTeX is packaged without the dviljk binary in Red Hat Enterprise Linux, making it impossible to exploit this flaw. We are however including this fix in RHSA-2010:0399, RHSA-2010:0400, and RHSA-2010:0401 in the event the binary is shipped in the future. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5963 The Red Hat Security Response Team has rated this issue as having low security impact, at this time Red Hat does not intend to address this flaw in a future update. Not vulnerable. This issue did not affect versions of qt or qt4 packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and 4. It was addressed in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1193.html, and https://rhn.redhat.com/errata/RHSA-2008-0585.html respectively. Not vulnerable. This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as the versions shipped do not support table partitioning. The partitioning feature was introduced in development MySQL version 5.1. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5971 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. See http://marc.info/?m=119743235325151 This issue is not a vulnerability, for more information see http://marc.info/?m=119743235325151 Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 4 and 5. Red Hat doesn’t consider this a security issue. The arguments to the functions in question should always be under the control of the script author, rather than untrusted script input, so these issues would not be treated as security-sensitive. Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. The user must voluntarily interact with the attack mechanism to exploit this flaw, with the result being the ability to run code as themselves. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6113 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat does not consider this to be a security issue. Versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5 behave as expected and that behavior was well documented. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6200 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. The Apache Software Foundation security team does not consider this issue to be a security vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed HTTP method to a target site. Red Hat does not consider this issue to be a vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed HTTP method to a target site. Not vulnerable. These issues did not affect the versions of the zsh package as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Xen and KVM, as shipped with Red Hat Enterprise Linux 5 by default use only peripheral device emulation of QEMU and are therefore not vulnerable to this issue. Red Hat does not consider this a security issue. The downloading of arbitrary files will be harmless unless there is a vulnerability in the application handling these other filetypes. This flaw is not exploitable to run arbitrary code and can only cause an application crash. Red Hat does not consider a crash of the flac application or applications that use flac libraries such as media players to be a security issue. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0300.html Not Vulnerable. Red Hat does not ship a version of Apache Tomcat that enables the native APR connector. This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affected the mysql packages as shipped in Red Hat Application Stack v1 and v2 and was addressed by RHSA-2007:1157: http://rhn.redhat.com/errata/RHSA-2007-1157.html Not vulnerable. The MySQL versions as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 do not support federated storage engine. The MySQL package as shipped in Red Hat Enterprise Linux 5, Red Hat Application Stack v1, and Red Hat Application Stack v2 are not compiled with support for federated storage engine. Not vulnerable. This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat does not consider this flaw to be a security issue. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=426437 The versions of SquirrelMail packages shipped in Red Hat Enterprise Linux 3, 4, and 5 were not affected by this issue. In addition, the Red Hat Security Response Team have verified that the malicious code is not part of released Red Hat Enterprise Linux squirrelmail packages. Not vulnerable. Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 do not ship with the alternate pdftops.pl CUPS printing filter that is affected by this flaw. Fixed in Apache HTTP Server 2.2.8, 2.0.63 and 1.3.41: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0885.html Fixed in Apache HTTP Server 2.2.9. http://httpd.apache.org/security/vulnerabilities_22.html Mandriva ships mod_proxy_balancer but will not be issuing updates to correct this flaw as the security risk is quite low due to the fact that is not enabled by default, the at-risk user would have to be authenticated, and successful exploitation would be limited to a denial of service on the web server. mod_proxy_balancer is shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2. We do not plan on correcting this issue as it poses a very low security risk: The balancer manager is not enabled by default, the user targeted by the CSRF would need to be authenticated, and the consequences of an exploit would be limited to a web server denial of service. Fixed in Apache HTTP Server 2.2.8. http://httpd.apache.org/security/vulnerabilities_22.html Fixed in Apache HTTP Server 2.2.8. http://httpd.apache.org/security/vulnerabilities_22.html mod_proxy_balancer is included in the version of Apache HTTP Server as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2. Red Hat was unable to reproduce this issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Old versions of the Linux 2.4 kernel allowed the lookup of names containing backslashes over smbfs -- so there were multiple names which would reference any particular file, allowing the bypass of Apache controls such as AddType. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue was corrected with a backported patch for Red Hat Enterprise Linux 2.1 by RHSA-2007:0672. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6514 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6591 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/#low This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Red Hat does not consider this flaw a security issue. This flaw is not exploitable beyond causing the web browser to crash. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6720 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ As noted in https://docs.xmbforum2.com/index.php?title=Security_Issue_History XMB versions 1.9.1 and later were checked and are not vulnerable. Upgrades are available at https://www.xmbforum2.com/ Fixed in Apache HTTP Server 2.2.8 and 2.0.63: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. NVD clarification: To exploit this flaw an attacker needs to print a malicious file through the vulnerable filter (either themselves or by convincing a victim to do so), it should therefore be AC:M In CUPS, print filters run as an unprivileged user no superuser (root), therefore this should be scored C:P, I:P, A:P This issue did not affect the versions of GNU libc as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affects the versions of libbind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any shipped applications. The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0122 An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0300.html Red Hat does not consider this to be a security issue. Regression introduced break glob() functionality, but does not bypass security restrictions. Furthermore, &quot;open_basedir&quot; bypass issues are not treated as security sensitive as described at https://bugzilla.redhat.com/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This flaw was caused by a third-party vendor patch to the OpenSSL library. This patch has never been used by Red Hat, and this issue therefore does not affect any Fedora, Red Hat, or upstream supplied OpenSSL packages. This issue did not affect the version of boost as shipped with Red Hat Enterprise Linux 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0171 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the version of boost as shipped with Red Hat Enterprise Linux 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0172 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support. Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support. Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0414 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future updates will address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename. We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename. We believe this issue is a duplicate of CVE-2007-5360. Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=431526 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This does not affect the versions of Firefox or SeaMonkey shipped in Red Hat Enterprise Linux. Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, and Red Hat Application Stack v1. For Red Hat Application Stack v2, issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0505.html This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4. Updated kernel packages are available to correct this issue for Red Hat Enterprise Linux 5: https://rhn.redhat.com/errata/RHSA-2008-0129.html Level Platforms clarifies that this issue is an Exposure and not a Vulnerability with Managed Workplace 6.0 Service Pack 2. The Exposure is of non-sensitive information as defined by commonly accepted security standards. I.E. The definition of the term “sensitive” is limited to designate all those types and forms of information that, by law or regulation, require some form of protection but are outside the formal system for classifying national security information. Managed Workplace is not used by customers to process classified information and this Exposure does not reveal non-classified sensitive information. The Exposure is eliminated in Managed Workplace 6.0 Service Pack 3. This Service Pack is currently in Beta and will be generally available within the next 20 days. Not vulnerable. This issue did not affect the versions of PCRE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Group Logic has fixed this issue in the ExtremeZ-IP 5.1.3x03 hotfix released on February 20, 2008. The update is free for all customers with active service contracts who own a version 5.x license and can be downloaded from http://www.grouplogic.com/files/ez/hot/hotFix51.cfm Group Logic has fixed this issue in the ExtremeZ-IP 5.1.3x03 hotfix released on February 20, 2008. The update is free for all customers with active service contracts who own a version 5.x license and can be downloaded from http://www.grouplogic.com/files/ez/hot/hotFix51.cfm RPM Remote Print Manager version 4.5.1.12 resolves the issue found in this security advisory. The latest software can be downloaded from http://lpd.brooksnet.com. Group Logic has fixed this issue in the ExtremeZ-IP 5.1.3x03 hotfix released on February 20, 2008. The update is free for all customers with active service contracts who own a version 5.x license and can be downloaded from http://www.grouplogic.com/files/ez/hot/hotFix51.cfm Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0883 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue was fixed in version 5.1 which was released July 11, 2008 This issue was fixed in version 5.1 which was released July 11, 2008 This issue was fixed in version 5.1 which was released July 11, 2008 This issue was fixed in version 5.1 which was released July 11, 2008 This issue was fixed in version 5.1 which was released July 11, 2008 These findings indicate risk only in a situation where a customer’s network security infrastructure has been breached. Double-Take is committed to continually improving the security of our products, and these findings will be addressed in a future release. This issue was fixed in version 5.1 which was released July 11, 2008 Not vulnerable. This issue did not affect versions of pax as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of pcre as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of cups as shipped with Red Hat Enterprise Linux 3, 4, or 5. The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The risks associated with fixing this bug are greater than the low severity security risk.We therefore currently have no plans to fix this flaw in Red HatEnterprise Linux. For more information please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=435420 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1142 This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact. Due to the minimal security consequences of this issue, we do not intend to fix this in Red Hat Enterprise Linux 2.1. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue was addressed in affected versions of Ruby as shipped in Red Hat Enterprise Linux 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2008-0897.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1198 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199 This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Not vulnerable. This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux 4 or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0612.html Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary. Not vulnerable. This issue did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat has re-evaluated the potential impact of this flaw and has released an update which corrects this behavior: http://rhn.redhat.com/errata/RHSA-2008-0893.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1382 This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 3. Updates for affected versions of Red Hat Enterprise Linux can be found here: http://rhn.redhat.com/errata/RHSA-2009-0333.html Red Hat do not consider this to be a security vulnerability: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1384 Red Hat does not consider this to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions. http://rhn.redhat.com/errata/RHSA-2008-0533.html All openssh versions shipped in Red Hat Enterprise Linux 5 include the patch for this issue. This issue was fixed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2005-527.html Red Hat Enterprise Linux 3 is affected by this issue. The Red Hat Security Response Team has rated this issue as having low security impact. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1483 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 5, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0972.html Not vulnerable. This issue does not affect the versions of gnupg packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 or 5. Red Hat does not consider this issue to be a security flaw as SILC is not used in a vulnerable manner in Red Hat Enterprise Linux 4 and 5. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=440049 The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html Red Hat does not consider this libTIFF bug to be a security issue. This issue did not affect the audit packages as shipped with Red Hat Enterprise Linux 4. Red Hat is not treating this issue as a security vulnerability for Red Hat Enterprise Linux 5 as no application used the affected interface, and the only result is a controlled application termination as the overflow is detected by the FORTIFY_SOURCE protection mechanism. We plan to address this as non-security bug fix in updated audit packages for Red Hat Enterprise Linux 5.2. For further details, please see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1628 Not vulnerable. These issues did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue was fixed in version 5.1 which was released July 11, 2008 Not vulnerable. This flaw does not affect teh version of wu-ftpd as shipped in Red Hat Enterprise Linux 2.1. Not vulnerable. This issue did not affect versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2, 3, 4, 5 or Red Hat Enterprise MRG. The but existed on Red Hat Enterprise Linux 3, 4, and 5. However, this is only a security issue if the SLOB or SLUB memory allocators were used (introduced in Linux kernel versions 2.6.16 and 2.6.22, respectively). All Red Hat Enterprise Linux and Red Hat Enterprise MRG kernels use the SLAB memory allocator, which in this case, cannot be exploited to allow arbitrary code execution. As a preventive measure, the underlying bug was addressed in Red Hat Enterprise Linux 3, 4, and 5, via the advisories RHSA-2008:0973, RHSA-2008:0508, and RHSA-2008:0519, respectively. Not vulnerable. This issue did not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of mod_ssl or httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 prior to 5.3. In Red Hat Enterprise Linux 5.3, OpenSSL packages were rebased to upstream version 0.9.8e via RHBA-2009:0181 (https://rhn.redhat.com/errata/RHBA-2009-0181.html), introducing this problem in Red Hat Enterprise Linux 5. Updated httpd packages were released via: https://rhn.redhat.com/errata/RHSA-2009-1075.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1679 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The Red Hat Security Response Team is aware of this new gcc behavior and is currently working to determine what impact these changes will have on the source code processed by the compiler. These changes do not affect Red Hat Enterprise Linux 2, 3, 4, or 5. Red Hat does not consider this to be a security issue. After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior. Red Hat does not consider this to be a security issue. After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1694 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=442005 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of rdesktop as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1891 The risks associated with fixing this flaw outweigh the benefits of the fix. Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux. Red Hat is aware of this issue affecting Red Hat Enterprise Linux 5 and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1926 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue has been addressed in Red Hat Enterprise Linux 4 with the following update: https://rhn.redhat.com/errata/RHSA-2009-0981.html Wonderware, a business unit of Invensys, is a pioneer in the secure use of Microsoft Windows software for industrial applications and a leader in the field of Industrial Automation security. Wonderware is also committed to active collaboration and involvement with customers and industry standards authorities to provide secure applications, security best practices, deployment guidelines, tools and prescriptive guidance for maintaining a secure automation environment. Recently, a vulnerability was discovered in SuiteLink Version 2.0 which could potentially expose an unsecured automation network to a denial of service attempt. While there is no indication whatsoever of the existence of an exploit for this issue, Wonderware published a Technical Alert describing the issue and released a Patch in April to resolve the problem. The vulnerability is closed in SuiteLink Version 2.0 Patch 01 and Wonderware is urging Customers to install the patch as soon as possible. More details can be found in Tech Alert 106 posted on the Wonderware Technical Support website. Customers who have not yet signed up for access to the Wonderware Technical Support website can register here free of charge to read the Tech Alert and receive the patch. For customers on an active support program, Wonderware has also created the Wonderware Security Central Home Page to help our customers with security issues. Here we have posted “Securing Industrial Control Systems”, a security guidance manual describing recommended security protocols for automation enterprises and installations in a Microsoft environment. Customers, System Integrators, and IT professionals who build and maintain automation networks are advised to read and understand the manual, and to apply the design recommendations to their automation environment to mitigate security risks properly for all forms of security threats. Wonderware Technical Support is also available to help customers needing advanced security assistance. More information is available about Wonderware Customer Support Programs by clicking here or by telephone at 1-800-WONDER-1 or by email at support@wonderware.com. Wonderware also makes every effort to support Microsoft Security Updates within 15 business days of release. Information regarding Microsoft Security Update compatibility can be found on the Wonderware Security Central Home Page. Wonderware will continue to provide guidance on security issues and to respond responsibly to security issues to serve our customers and to help them protect their operations. This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values. If user inputs need to be used as part of the tag attributes, the JSP page needs to perform filtering explicitly. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025 This issue does not affect the version of PHP shipped in Red Hat Enterprise Linux 2.1, 3, or 4. We do not consider this issue to be a security flaw for Red Hat Enterprise Linux 5 since no trust boundary is crossed. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2050 This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3. This issue was addressed for Red Hat Enterprise Linux 4, 5, and Red Hat Application Stack v1, v2: https://rhn.redhat.com/cve/CVE-2008-2079.html Not vulnerable. Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not ship for the SPARC architecture. The Apache security team state that this issue is due to web browsers that are violating RFC2616 and is not a flaw in the Apache HTTPD Server. This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the &quot;AddDefaultCharset&quot; directive. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2168 Siemens has analyzed this report and states that no security breach can be found in the Siemens CardOS M4 itself and it thus does not relate to any Siemens component. The reported vulnerability (caused by inappropriate personalization) is due to an issue in the OPENSC middleware detailed information can be found under http://www.opensc-project.org/security.html. Therefore, Siemens recommends all customers and partners using OPENSC to use either the current version 0.11.5 of OPENSC in which this vulnerability is fixed or to use the bug fix suggested under http://freshmeat.net/articles/view/3333/. We hope that we could help you with this recommendation. If you have further questions, please contact the Siemens CardOS hotline under: scs-support.med@siemens.com Phone: +49 89 636 35996 (Mo.-Fr. 9:00-17:00 German time) Not vulnerable. This issue does not affect the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 3 or 4. Although this bug is present in the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 5, the format string protection from FORTIFY_SOURCE makes this unexploitable. Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Affected module was only introduced upstream in python 2.5. This issue does not affect the versions of mtr as shipped with Red Hat Enterprise Linux 4 or 5. For Red Hat Enterprise Linux 2.1 and 3, this issue can only be exploited if an attacker can convince victim to use mtr to trace path to or via the IP, for which an attacker controls PTR DNS records. Additionally, the victim must run mtr in &quot;split mode&quot; by providing -p or --split command line options. The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0519.html Not vulnerable. This issue did not affect the versions of pan as shipped with Red Hat Enterprise Linux 2.1. No other versions of Red Hat Enterprise Linux have shipped Pan. Fixed in Apache HTTP Server 2.2.9. http://httpd.apache.org/security/vulnerabilities_22.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2364 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of PCRE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the version of the Xen package as shipped with Red Hat Enterprise Linux 5. Not vulnerable. OCSP protocol support was only implemented in upstream stunnel version 4.16. Therefore OCSP protocol is not available in the versions of stunnel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue was addressed in fetchmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 via: https://rhn.redhat.com/errata/RHSA-2009-1427.html Not vulnerable. These issues did not affect the versions of NASM as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue was resolved and patched on 6/10/2008. Not vulnerable. This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, Red Hat Application Stack 1, or Solaris versions of Red Hat Directory Server 7.1 and 8, Certificate System 7.x. Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. For more details see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2829 Not vulnerable. This issue did not affect the versions of XChat as shipped with Red Hat Enterprise Linux. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0885.html Not vulnerable. This issue did not affect the versions of firefox as shipped with Red Hat Enterprise Linux 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ These issue was addressed in all affected httpd versions as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0967.html This issue is tracked via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2939 The Red Hat Security Response Team has rated this issue as having low security impact, future updates may address this flaw in other affected products (such as Red Hat Application Stack). Not vulnerable. This issue did not affect the versions of poppler as shipped with Red Hat Enterprise Linux 5, or other PDF parsing applications derived from the xpdf code as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. According to RealNetworks this flaw does not affect the Linux version of RealPlayer. According to RealNetworks this issue does not affect the Linux version of RealPlayer. Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Vim packages, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. Note: This CVE is mentioned in the text of RHSA-2008:0580 (https://rhn.redhat.com/errata/RHSA-2008-0580.html), as it was originally used to track multiple issues. Issues that affected Vim packages in Red Hat Enterprise Linux 5 were later assigned separate CVE identifier - CVE-2008-6235. Neither of issues currently covered by CVE-2008-3076 (insufficient shell escaping in mz and mc commands) affected Vim packages shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-3134 The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5 The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-3196 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect the version of dnsmasq as shipped with Red Hat Enterprise Linux 5. Upon investigating this issue, the Red Hat Security Response Team has determined that this is not a vulnerability. The ability to specify a desired role when connecting to OpenSSH is a feature of how OpenSSH interacts with SELinux. Users can only assign themselves SELinux roles which they have permission to access. They cannot assign themselves arbitrary roles. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Oracle has released a workaround for CVE-2008-3257. Information is available at: http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue can only be exploited during the package build and it does not affect users of pre-built packages distributed with Red Hat Enterprise Linux. Therefore, we do not plan to backport a fix for this issue to already released version of Red Hat Enterprise Linux 2.1, 3, 4, and 5. Not vulnerable. This issue did not affect the versions of links as shipped with Red Hat Enterprise Linux 2.1, and versions of elinks as shipped with Red Hat Enterprise Linux 3, 4, or 5. Versions of links / elinks shipped do not support &quot;only proxies&quot; feature. Not vulnerable. These issues did not affect the version of dnsmasq as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. The updated Red Hat Enterprise Linux packages are not distributed via the openoffice.org update service, but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates. Not vulnerable. This issue did not affect the versions of Sun Java packages as shipped with Red Hat Enterprise Linux 4 Extras, or 5 Supplementary. The updated Red Hat Enterprise Linux packages are not distributed via the java.sun.com update service (which is only used for Windows version of Sun Java), but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates. Red Hat does not consider this flaw a security issue. This flaw is not exploitable beyond causing the web browser to crash. This flaw does not affect the Linux version of RealVNC as shipped in Red Hat Enterprise Linux. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. The uvcvideo driver was first added in kernel packages update RHSA-2009:0225 in Red Hat Enterprise Linux 5.3, and it already contained a fix for this flaw. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html This issue does not affect the versions of the yelp package, as shipped with Red Hat Enterprise Linux 3, 4 and 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html Addressed in versions 5.1.2 and 4.2.4.SP863. Will be also addressed in next 425 maintenance release. Addressed in versions 5.0, 4.2.5.SP167, and 4.2.4.SP555 Addressed in 5.0 Addressed in 5.1.2 Addressed in versions 5.1.1, 4.2.5.SP650, and 4.2.4.SP854 Addressed in versions 5.1.1, 4.2.5.SP650, and 4.2.4.SP854 Addressed in versions 5.1.1, 4.2.5.SP650, and 4.2.4.SP854 This issue has been addressed in the affected versions of PHP packages shipped in Red Hat Enterprise Linux via advisories listed on the following page: https://rhn.redhat.com/errata/CVE-2008-3658.html The PHP interpreter does not offer a reliable sandboxed security layer (as found in, say, a JVM) in which untrusted scripts can be run any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the version of Xen hypervisor as shipped with Red Hat Enterprise Linux 5, as it does not support XSM. Not vulnerable. This issue did not affect the versions of neon as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html This issue did not affect the version of pam_krb5 shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the version of utrace as shipped with the Red Hat Enterprise Linux 5 kernel. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html This vulnerability has been fixed in Photo Station 5.0, when it became a standalone package upon release of DSM 4.0. Synology NAS products running DSM 3.2 are eligible to upgrade to DSM 4.0. Synology strongly recommends any customers whose Synology NAS runs on DSM 3.2 to upgrade to DSM 4.0 or onward as well as update Photo Station to the latest version. Not vulnerable. This issue did not affect the versions Postfix as shipped with Red Hat Enterprise Linux 3, 4, or 5. Lenovo has released a BIOS update to address this issue. http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-64580 Red Hat does not consider this to be a security issue. Since these operations can only be executed by root, no trust boundary is crossed as a result of this behaviour. Red Hat does not consider this to be a security issue. Since these operations can only be executed by root, no trust boundary is crossed as a result of this behaviour. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html Not vulnerable. This issue did not affect the versions of the emacs package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3 or 4. This issue was addressed for Red Hat Enterprise Linux 5 and Red Hat Application Stack v2 https://rhn.redhat.com/cve/CVE-2008-3963.html Not vulnerable. These issues did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0110.html and in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1067.html . In Red Hat Enterprise Linux 5, issue CVE-2008-2079 was fixed without introducing CVE-2008-4098 in https://rhn.redhat.com/errata/RHSA-2009-1289.html . The risks associated with fixing this bug are greater than the security risk. We therefore currently have no plans to fix this flaw in Red HatEnterprise Linux 2.1, 3, 4, or 5. For more information please see our bug for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=462772 Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The patch used to fix CVE-2006-5051 in Red Hat Enterprise Linux 2.1, 3, 4, and 5 was complete and does not suffer from this problem. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html Not vulnerable. This flaw does not affect the version of BIND as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue has been addressed via: https://rhn.redhat.com/errata/RHSA-2009-0402.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=460435 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4192 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of rsh-server packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The glibcs ruserok function is used to check users authorization against rhosts files. That implementation of ruserok never opens /etc/hosts.equiv for superuser. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html Not vulnerable. This issue did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. We do not consider a crash of a client application such as Konqueror to be a security issue. Not vulnerable. ndiswrapper is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4456 This issue was addressed for Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1289.html and Red Hat Enterprise Linux 4 by https://rhn.redhat.com/errata/RHSA-2010-0110.html . The Red Hat Security Response Team has rated this issue as having low security impact, future MySQL package updates may address this flaw for Red Hat Enterprise Linux 3, and Red Hat Application Stack 2. Not vulnerable. This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not Vulnerable. Red Hat Enterprise MRG does not use Xerces-C++ in a manner that is vulnerable to this flaw. We do not consider a crash of a client application such as Konqueror to be a security issue. This issue affected Red Hat Enterprise Linux 5 and was addressed by https://rhn.redhat.com/errata/RHSA-2009-1321.html The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact. This issue is addressed in the cman package for Red Hat Enterprise Linux 5: https://rhn.redhat.com/errata/RHSA-2009-1337.html This issue also affects the fence package in Red Hat Cluster Suite for Enterprise Linux 4AS, a future update may address this flaw: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4579 Manual fencing agent is documented to only be provided for testing purposes and should not be used in production environments. Therefore, there is no plan to fix this flaw in Red Hat Cluster Suite for Red Hat Enterprise Linux 4, and in Red Hat Enterprise Linux 5. The attacks reported by Outpost24 AB target the design limitations of the TCP protocol. Due to upstreams decision not to release updates, Red Hat do not plan to release updates to resolve these issues however, the effects of these attacks can be reduced via the mitigation methods as written in http://kbase.redhat.com/faq/docs/DOC-18730. The versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 were not affected by this issue. This issue only affected the version of Linux kernel as shipped with Red Hat Enterprise MRG and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-0009.html Not vulnerable. This issue did not affect the versions of vim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html Red Hat does not consider this to be a security flaw. Firefox is handling the ftp:// URL as expected. This issue can only cause pamperspective to crash when used on specially crafted messages. We do not consider this to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4865 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 4 or 5. This issue was fixed on May 5, 2003 for all Mandriva Linux products. Not vulnerable. This issue did not affect the versions of mgetty as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, as they include patch that resolves this issue. Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of postfix as shipped with Red Hat Enterprise Linux 3, 4, or 5. Mentioned script is not part of the official postfix distribution and is not included in Red Hat Enterprise Linux postfix packages. The affected code is not used by any application shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5. The impact of this flaw is limited to a crash of the applications connecting to a misbehaving SMTP server. Due to those reasons, theres currently no plan to include the fix in the imap packages as shipped in Red Hat Enterprise Linux 2.1 and 3, and the libc-client packages as shipped in Red Hat Enterprise Linux 4 and 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The issue was addressed in the Linux kernel packages as shipped with Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0053.html This issue was addressed for Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1287.html After reviewing the upstream fix for this issue, Red Hat does not intend to address this flaw in Red Hat Enterprise Linux 3 or 4 at this time. Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3, 4, or 5. Versions shipped do not support RSS subscriptions. Not vulnerable. This issue does not affect the versions of imlib as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0241 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update of Red Hat HPC Solution may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat does not consider this to be a security issue. For more information, please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0242 This issue can only result in an OpenOffice.org crash, not allowing arbitrary code execution. Red Hat does not consider a crash of a client application such as OpenOffice.org to be a security issue. Not vulnerable. This issue did not affect the versions of BIND as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, and Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the version of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Only PAM versions 1.x were affected. This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1335.html This issue was fixed in openssl packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0163.html Not vulnerable. This issue affected OpenSSL CMS functionality which is not present in the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. Red Hat does not consider this to be a security issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0601#c3 Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, or Red Hat Enterprise MRG. Not vulnerable. This issue was addressed in upstream OpenSSL prior to 0.9.6 and therefore does not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Disputed: The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as the affected driver is not enabled in these kernels by default. The affected driver is enabled by default in Red Hat Enterprise Linux 2.1, 3, 5, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2009-0326.html and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-0360.html . As Red Hat Enterprise Linux 2.1 and 3 are now in Production 3 of their maintenance life-cycle, http://www.redhat.com/security/updates/errata, and this issue has been rated as having moderate impact, the fix for this issue is not currently planned to be included in the future updates. The upstream fix for this issue is not backwards compatible and introduces an ABI change not allowed in Red Hat Enterprise Linux. Therefore, there is no plan to address this problem directly in cyrus-sasl packages. All applications shipped in Red Hat Enterprise Linux and using affected sasl_encode64() function were investigated and patched if their use of the function could have security consequences. See following bug report for further details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0688#c20 This issue affected the dhcp packages as shipped with Red Hat Enterprise Linux 3 and 4. Updated packages to correct this issue are available via Red Hat Network: https://rhn.redhat.com/errata/CVE-2009-0692.html This issue did not affect the dhcp packages as shipped with Red Hat Enterprise Linux 5 due to the use of FORTIFY_SOURCE protection mechanism that changes the exploitability of the issue into a controlled application termination. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html Not vulnerable. This issue did not affect the versions of poppler, xpdf, gpdf and kdegraphics as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue is a duplicate of CVE-2009-0166, which was addressed in affected products via following updates: https://rhn.redhat.com/errata/CVE-2009-0166.html This issue has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0528.html. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0326.html . Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0781 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0473.html . Not vulnerable. This issue only affects a small number of operating systems and does not affect the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0793 The Red Hat Security Response Team has rated this issue as having low security impact, a future lcms packages update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0796 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future mod_perl package update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0801 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of mysql packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0451.html . Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0887 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been addressed in Red Hat Enterprise Linux 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-1484.html and in Red Hat Application Stack v2 via: https://rhn.redhat.com/errata/RHSA-2009-1067.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0451.html . This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG, via https://rhn.redhat.com/errata/RHSA-2009-1132.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1081.html . This issue is not planned to be fixed in Red Hat Enterprise Linux 2.1 and 3, due to these products being in Production 3 of their maintenance life-cycles, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ . This issue has been fixed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2009-0427.html . udev packages as shipped in Red Hat Enterprise Linux 4 were not affected by this flaw, as they do not use netlink sockets for communication. udev is not shipped in Red Hat Enterprise Linux 2.1 and 3. Not vulnerable. This issue did not affect the versions of udev as shipped with Red Hat Enterprise Linux 4, or 5. Red Hat does not consider this to be a security issue. Affected file is supposed to be used to exchange information between local system users, therefore open permissions are intentional. Red Hat does not consider this to be a security issue. The checks implemented by screen to protect against race condition attacks on /tmp/screen-exchange file provide sufficient protection for this rarely-used buffer exchange feature. For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=492104 Check Point Security Alert Team has analyzed this report. We’ve tried to reproduce the attack on all VPN-1 versions from NG FP2 and above with and without HFAs. The issue was not reproduced. We have conducted a thorough analysis of the relevant code and verified that we are secure against this attack. We consider this attack to pose no risk to Check Point customers. Check Point Security Alert Team https://bugzilla.mozilla.org/show_bug.cgi?id=485941 Red Hat does not consider a user-assisted crash of a client application such as Firefox to be a security issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 4, 5, or Red Hat Enterprise MRG, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. This issue has been rated as having moderate security impact as it does not lead to a denial of service or privilege escalation. As Red Hat Enterprise Linux 3 is now in Production 3 of its maintenance life-cycle, http://www.redhat.com/security/updates/errata, and the affected driver can only be enabled when using the unsupported kernel-unsupported package, a fix for this issue is not currently planned to be included in the future updates. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 was fixed via: https://rhn.redhat.com/errata/RHSA-2009-0350.html Not vulnerable. This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1 and v2. This problem was introduced in the fix for CVE-2008-5658. Patch for CVE-2008-5658 as used in Red Hat Application Stack v2 also includes the fix for this crash too. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1284 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of ecryptfs-utils as shipped with Red Hat Enterprise Linux 5. eCryptfs encrypted home directories are not set up during the system installation, so theres no possibility for leaking encryption passwords to the installation log file. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include upstream commit 7c73a6fa that introduced the problem. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1081.html . This flaw was caused by a C2Net specific patch added to Apache http_log.c in Stronghold 2.3. C2Net Stronghold 2.3 reached end of life for updates on October 31st 2000. http://www.awe.com/mark/history/stronghold.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. Not vulnerable. This issue did not affect the versions of squirrelmail as shipped with Red Hat Enterprise Linux 3, 4, or 5. Updates for squirrelmail released via RHSA-2009:1066 (https://rhn.redhat.com/errata/RHSA-2009-1066.html) fixed original flaw CVE-2009-1579 without introducing CVE-2009-1381. This issue did not affect the versions of the pam_krb5 packages, as shipped with Red Hat Enterprise Linux 3 and 4. The issue was addressed in the pam_krb5 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0258.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise 5 via: https://rhn.redhat.com/errata/RHSA-2009-1193.html Not vulnerable. This issue did not affect the versions of mutt as shipped with Red Hat Enterprise Linux 3, 4, or 5. Only mutt version 1.5.19 was affected by this flaw. Not vulnerable. This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5 as it only affected gnutls 2.6.x versions. Not vulnerable. This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5 as it only affected gnutls 2.6.x versions. The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 4, or 5. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1417 The impact of this flaw is limited to application crash, not allowing code execution. Red Hat does not consider a user-assisted crash of a client application such as media players using GStreamer framework to be a security issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1438 Based on our analysis this issue does not have a security consequence and does not lead to a buffer overflow or denial of service. For more details of our technical evaluation see https://bugzilla.redhat.com/show_bug.cgi?id=499252#c18 Not vulnerable. This issue did not affect the versions of libmodplug embedded in gstreamer-plugins as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for the PAT file type. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of zebra as shipped with Red Hat Enterprise Linux 2.1, and the versions of quagga as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, and 3. It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1132.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1157.html . Red Hat does not consider this to be a security issue. By default, user home directories are created with mode 0700 permissions, which would not expose the ~/.evolution/ directory regardless of its own permissions. If a user intentionally relaxes permissions on their home directory, they should be auditing all files and directories in order to not expose unwanted files to other local users. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, and 3. It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1211.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1157.html . Not vulnerable. This issue did not affect the versions of the kdelibs packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the kdelibs packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2009-1132.html and https://rhn.redhat.com/errata/RHSA-2009-1106.html . This issue did not affect kernel packages as shipped in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 1. It was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2009-1438.html . This issue has been rated as having moderate security impact. It is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1885 The Red Hat Security Response Team has rated this issue as having low security impact, a future xerces-c packages update in Red Hat Enterprise MRG 1.1 may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue did not affect Red Hat Enterprise Linux 3. It was addressed in Red Hat Enterprise Linux 4 and 5 via RHSA-2009:1529: https://rhn.redhat.com/errata/RHSA-2009-1529.html Not vulnerable. Red Hat Enterprise Linux 3, 4, and 5 provide earlier versions of ISC DHCP which are not vulnerable to this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1897 The flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only. This issue does not affect any other released kernel in any Red Hat product. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the SPARC64 architecture. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1157.html This issue has been addressed in Red Hat Enterprise Linux 3, 4, and 5 via https://rhn.redhat.com/errata/RHSA-2010-0534.html. Not vulnerable. This issue did not affect the versions of openoffice.org and openoffice.org2 packages as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of stardict as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise MRG. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG did not include support for eCryptfs, and therefore are not affected by this issue. Red Hat Enterprise Linux 5 was vulnerable to this issue and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1193.html The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG did not include support for eCryptfs, and therefore are not affected by this issue. Red Hat Enterprise Linux 5 was vulnerable to this issue and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1193.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2446 This issue was addressed for Red hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1289.html and Red Hat Enterprise Linux 4 by https://rhn.redhat.com/errata/RHSA-2010-0110.html . The Red Hat Security Response Team has rated this issue as having low security impact, future MySQL package updates may address this flaw for Red Hat Enterprise Linux 3 and Red Hat Application Stack 2. Updated neon packages for Red Hat Enterprise Linux 4 and 5 were released via: https://rhn.redhat.com/errata/RHSA-2009-1452.html Embedded copy of the neon library is included in the versions of gnome-vfs2 packages as shipped with Red Hat Enteprise Linux 4 and Red Hat Enteprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact on gnome-vfs2, future updates may address this flaw. Red Hat does not consider a user-assisted crash of a client application such as Konqueror to be a security issue. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html Vectors (1) Bluetooth L2CAP and (3) MIOP did not affect the versions of the Wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of gzip as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat does not consider this flaw to be a security issue. The bug can only be triggered by the PHP script author, which does not cross trust boundary. This issue was addressed in php packages shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2010-0040.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-2688 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The Red Hat Security Response Team has rated this issue as having moderate security impact. We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, and 5 as it is not possible to trigger the information leak if the suid_dumpable tunable is set to zero (which is the default). It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-18065. Updates for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2692.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2693 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been addressed in JBoss Enterprise Web Server 1.0.1: https://rhn.redhat.com/errata/RHSA-2010-0119.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG. Updates for Red Hat Enterprise Linux 3, 4 and 5 to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2698.html Clarification 1: This issue only affects Solaris 10 and OpenSolaris. Other versions of Solaris and non-Solaris platforms are not affected. Clarification 2: This issue only affects 2.2.x versions of Apache HTTP Server, APR 1.1 through 1.3.8. APR 0.9.x is not affected. This flaw does not affect the version of APR shipped in Red Hat Enterprise Linux. This flaw affected JBoss Enterprise Web Server running on the Solaris platform. Updated httpd packages are available for download from Customer Support Portal: https://support.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&amp;downloadType=securityPatches&amp;version=1.0.0 Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 3, 4, or 5. Affected code was introduced upstream in version 4.3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2702 This issue did not affect kdelibs packages as shipped in Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw in Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of ia32el as shipped with Red Hat Enterprise Linux 3, 4 or 5. Not vulnerable. This issue only affected kernels version 2.6.28-rc1 and later. Therefore this issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG.. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for flat binary support, and additionally this issue only affected kernels version 2.6.29-rc1 and later. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Please note this issue only affected Linux kernel versions after v2.6.30-rc1 and was fixed in v2.6.31-rc6. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the PA-RISC architecture. This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG: http://rhn.redhat.com/cve/CVE-2009-2847.html This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2849 The flaw was introduced in kernel version 2.6.17-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, and 4 are not affected by this issue. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html A future kernel update for Red Hat Enterprise Linux 5 will address this flaw. This issue did not affect the versions of the squid packages, as shipped with Red Hat Enterprise Linux 3 and 4. The issue was addressed in the squid packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0221.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2901 This issue did not affect Tomcat versions running on Linux or Solaris systems. This issue is fixed in the tomcat5 and tomcat6 packages released with JBoss Enterprise Web Server 1.0.1 for Windows. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2902 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been addressed in JBoss Enterprise Web Server 1.0.1: https://rhn.redhat.com/errata/RHSA-2010-0119.html Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-19077 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise MRG. It is also available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel updates in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG will address this issue. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG do not include support for eCryptfs, and therefore are not affected by this issue. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1548.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, or Red Hat Enterprise MRG, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel update in Red Hat Enterprise Linux 3 may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-2910 It has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1671.html , https://rhn.redhat.com/errata/RHSA-2010-0046.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for PF_LLC sockets in the Linux kernels. CVE-2009-3002 describes a collection of similar information leaks that affect numerous networking protocols. The Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 did not enable support for the AppleTalk DDP protocol, and therefore were not affected by issue (1). It was addressed in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1550.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively. The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG did not enable support for IrDA sockets, and therefore were not affected by issue (2). It was addressed in Red Hat Enterprise Linux 3 via: https://rhn.redhat.com/errata/RHSA-2009-1550.html The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not enable support for the Acorn Econet and AUN protocols, and therefore were not affected by issue (3). The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG did not enable support for the NET/ROM and ROSE protocols, and therefore were not affected by issues (4) and (5). They were addressed in Red Hat Enterprise Linux 3 via: https://rhn.redhat.com/errata/RHSA-2009-1550.html The raw_getname() leak was introduced in the Linux kernel version 2.6.25-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG therefore were not affected by issue (6). Not vulnerable. This issue did not affect the versions of pidgin as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat has released updates to correct this issue: https://rhn.redhat.com/errata/RHSA-2009-1453.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG, as they do not contain a backport of the tty ldisc rewrite (upstream commits 65b770468e98 and cbe9352fa08f). Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of Pidgin packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5. List of the errata fixing this flaw in affected products can be found at: https://www.redhat.com/security/data/cve/CVE-2009-3094.html List of the errata fixing this flaw in affected products can be found at: https://www.redhat.com/security/data/cve/CVE-2009-3095.html Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. This issue was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1522.html , https://rhn.redhat.com/errata/RHSA-2009-1548 and https://rhn.redhat.com/errata/RHSA-2009-1540 respectively. It has been rated as having moderate security impact and is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5. In PostgreSQL versions prior to 8.2, only database administrator was able to LOAD additional plugins and use it to cause server crash. However, this does not bypass trust boundary, so its not a security flaw for older PostgreSQL versions. Additionally, no plugins are shipped in Red Hat PostgreSQL packages by default. This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html . Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5, as they do not support LDAP authentication, which was introduced upstream in version 8.2. This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html . Not vulnerable. This issue only affected kernels version v2.6.31-rc1 and later. Therefore this issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3245 This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0162.html This issue was fixed in openssl096b packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0173.html The Red Hat Security Response Team has rated this issue as having low security impact on openssl packages in Red Hat Enterprise Linux 3 and 4, a future update may address this flaw. Not vulnerable. This vulnerability was introduced into the Linux kernel in version 2.6.30-rc1 via upstream commit 2a519311, and therefore does not affect users of Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1548.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. This issue was introduced by upstream commit 10db10d1, and only affected kernels version 2.6.28-rc1 and later. Not vulnerable. This issue does not affect the versions of glib2 as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3290 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as KVM (Kernel-based Virtual Machine) is only supported in Red Hat Enterprise Linux 5. A future kernel update in Red Hat Enterprise Linux 5 will address this flaw. This problem is not a security flaw in the PHP versions 4.3.5 and later. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3293 PHP versions shipped in Red Hat Enterprise Linux 4 and 5 do not need this fix. We do not plan to address this flaw in Red Hat Enterprise Linux 3. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2. Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of libtheora as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555 Additional information can be found in the Red Hat Knowledgebase article: http://kbase.redhat.com/faq/docs/DOC-20491 This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit d025c9db that introduced the problem. This upstream commit was backported in Red Hat Enterprise Linux 5 via RHBA-2008:0314 update. Issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3564 The Red Hat Security Response Team has rated this issue as having low security impact, a future update for Red Hat Enterprise MRG may address this flaw. Not vulnerable. This issue did not affect the version of poppler as shipped with Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3612 This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1670.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively. A future kernel update in Red Hat Enterprise Linux 4 will address this flaw. This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about the Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3621 This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1671.html , https://rhn.redhat.com/errata/RHSA-2009-1670.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, or Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, or Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability. Not vulnerable. This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. This flaw can only lead to a denial of service if perl-HTML-Parser is used in conjunction with perl 5.10.1. If perl-HTML-Parser is used with earlier versions of perl, this flaw does not lead to a denial of service. Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5. KVM is only supported on AMD64/x86_64 architecture on Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability (upstream commit f0a3602c). Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720 The Red Hat Security Response Team has rated this issue as having moderate security impact in Python, a future update may address this flaw. If a system has PyXML installed, Python will use PyXML for expat-related functions and is then not vulnerable to the issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3722 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update will address this flaw. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG, as they do not include the upstream change introducing this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3726. The Linux kernel as shipped with Red Hat Enterprise Linux 3 did not have support for NFSv4, and therefore is not affected by this issue. It was addressed in Red Hat Enterprise Linux 5, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1670.html and https://rhn.redhat.com/errata/RHSA-2009-1635.html respectively. A future kernel update in Red Hat Enterprise Linux 4 will address this issue. Not vulnerable. This issue did not affect the versions of mutt as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3766 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. OpenLDAP reported this issue and published a patch for it on 2009-07-30. The patch was included in OpenLDAP 2.4.18 which was released on 2009-09-06. The current release of OpenLDAP is available from the following location: http://www.openldap.org/software/download/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3767 This issue was addressed in the openldap packages as shipped with Red Hat Enterprise Linux 5 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0198.html and https://rhn.redhat.com/errata/RHSA-2010-0543.html respectively. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future openldap update may address this flaw in Red Hat Enterprise Linux 3. The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html Not vulnerable. The Linux kernels as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not have MMU disabled, and therefore are not affected by this issue. This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 3, as it does not implement the sysfs file system (&quot;/sys/&quot;), through which dbg_lvl file is exposed by the megaraid_sas driver. Issue was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0076.html , https://rhn.redhat.com/errata/RHSA-2010-0046.html and https://rhn.redhat.com/errata/RHSA-2009-1635.html respectively. Not vulnerable. This issue did not affect the versions of libexif as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of poppler as shipped with Red Hat Enterprise Linux 5. This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 3, as it does not implement the sysfs file system (&quot;/sys/&quot;), through which poll_mode_io file is exposed by the megaraid_sas driver. Issue was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0076.html , https://rhn.redhat.com/errata/RHSA-2010-0046.html and https://rhn.redhat.com/errata/RHSA-2009-1635.html respectively. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as KVM (Kernel-based Virtual Machine) is only supported in Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is not vulnerable to this issue because it does not include the change that introduced this buffer overflow vulnerability. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 5, and Red Hat Enterprise MRG did not include support for the HiSax ISDN driver for Colognechip HFC-S USB chip, and therefore were not affected by this issue. Issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0076.html We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG as the affected driver is not enabled in this kernel. It was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0076.html and https://rhn.redhat.com/errata/RHSA-2010-0046.html respectively. Red Hat Enterprise Linux 3 is now in Production 3 of the maintenance life-cycle, http://www.redhat.com/security/updates/errata, and this issue is rated as having low impact, therefore the fix for this issue is not currently planned to be included in the future updates. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4021 The Linux kernel packages as shipped with Red Hat Enterprise Linux 3 and 4 do not include support for FUSE, and therefore are not affected by this issue. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html A future kernel update for Red Hat Enterprise MRG will address this flaw. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commits d75636ef and d92684e6 that introduced the problem. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4027. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as they do not have support for the mac80211 framework. It did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG as they do not include the upstream patch that introduced this vulnerability. A future update will address this flaw in Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4029 This issue was addressed in the automake, automake14, automake15, automake16 and automake17 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0321.html The Red Hat Security Response Team has rated this issue as having low security impact, theres no plan to address this flaw in automake packages in Red Hat Enterprise Linux 3 and 4. This issue is only security-relevant in PostgreSQL versions 8.4 and later as previous versions did not compare the connection host name with the certificate CommonName at all. Client certificate authentication was introduced in version 8.4. Red Hat Enterprise Linux 5 and earlier provided PostgreSQL versions 8.1.x and earlier, and are thus not affected by this issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability. This issue does not affect users using coreutils binary RPMs, or rebuilding source RPMs. Therefore, we do not plan to release updates addressing this flaw on Red Hat Enterprise Linux 3, 4 and 5. For additional details, refer to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4135 This issue was addressed in Red Hat Enterprise Linux 3 via https://rhn.redhat.com/errata/RHSA-2010-0427.html This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0428.html This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0429.html and https://rhn.redhat.com/errata/RHSA-2010-0430.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4138 The Linux kernel packages as shipped with Red Hat Enterprise Linux 3 and 4 have a different (and older) implementation of the driver for OHCI 1394 controllers, which is not affected by this issue. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html A future kernel update for Red Hat Enterprise MRG will address this flaw. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit 233e70f4 that introduced the problem. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4227 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4228 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat considers this to be a duplicate of the CVE-2009-4033, rather than a separate issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=542926#c10 Not vulnerable. This issue did not affect the versions of ghostscript as shipped with Red Hat Enterprise Linux 3, 4, or 5. This security issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 3, 5 and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0146.html. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commits c6153b5b and 1080d709 that introduced the problem. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4274 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4307 The Linux kernel packages as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG do not include support for EXT4, and therefore are not affected by this issue. A future kernel update for Red Hat Enterprise Linux 5 will address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4308 The Linux kernel packages as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG do not include support for EXT4, and therefore are not affected by this issue. This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0147.html. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit 59efec7b that introduced the problem. Not vulnerable. This issue did not affect the versions of acl as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat does not consider this to be a security flaw. For further details, see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4418 Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5. The packages use OpenSSL and not yaSSL. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4492 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4565 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect the versions of Thunderbird as shipped with Red Hat Enterprise Linux 4 and 5, and Seamonkey as shipped with Red Hat Enterprise Linux 3 and 4. Not vulnerable. This issue did not affect the versions of Firefox, Thunderbird, or Seamonkey as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of gnome-screensaver as shipped with Red Hat Enterprise Linux 5. Red Hat does not consider this issue to be a security flaw. The libsndfile library is not used outside of client applications, where crashes are not considered to be security flaws. Not vulnerable. This issue did not affect the versions of openoffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue has been addressed in Red Hat Enterprise Linux 3, 4, and 5 via https://rhn.redhat.com/errata/RHSA-2010-0534.html. This issue was addressed for Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0115.html We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3 as the MSN protocol support in the provided version of Pidgin (1.5.1) is out-dated and no longer supported by MSN servers. There are no plans to backport MSN protocol changes for that version of Pidgin. Not vulnerable. This issue did not affect the versions of MIT Kerberos 5 as shipped with Red Hat Enterprise Linux 3, 4 or 5. Those versions do not contain the vulnerable code that was introduced in krb5 1.7. Not vulnerable. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for Devtmpfs, and therefore are not affected by this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0307. This issue has been rated as having moderate security impact. This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0146.html. Future updates in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0308 This issue was addressed in the squid packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0221.html The Red Hat Security Response Team has rated this issue as having low security impact, a future squid update may address this flaw in Red Hat Enterprise Linux 3 and 4. This issue did not affected Red Hat Enterprise Linux 3 and 4 due to the lack of localization in lppasswd as provided in those releases. The affected code is present in Red Hat Enterprise Linux 5, however lppasswd is not shipped setuid so is not vulnerable to this issue. If a user were to enable the setuid bit on lppasswd, the impact would only be a crash of lppasswd due to use of FORTIFY_SOURCE protections. Therefore, there are no plans to correct this issue in Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0397 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0410. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for kernel connectors. Future updates in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0415. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for sys_move_pages. It was only introduced in kernel version 2. 6.18 onwards. This was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-9419.html. Future updates in Red Hat Enterprise MRG may address this flaw. The Red Hat Security Response Team has rated this issue as having low security impact. For Red Hat Enterprise Linux 4 and 5, this issue was addressed via https://rhn.redhat.com/errata/RHSA-2010-0115.html We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3 as the issue only causes Pidgin client to become unresponsive or crash. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0122.html It did not affect the versions of the sudo package as shipped with Red Hat Enterprise Linux 3 and 4. This issue was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0122.html It did not affect the versions of the sudo packages as shipped with Red Hat Enterprise Linux 3 and 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0434 This issue was fixed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0168.html This issue was fixed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2010-0175.html The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw on Red Hat Enterprise Linux 3. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0437. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for Optimistic Duplicate Address Detection (DAD) in IPv6. This was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-9419.html. A future update in Red Hat Enterprise MRG may address this flaw. Not vulnerable. This issue did not affect the versions of fetchmail as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0622. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for priority-inheriting futex. Future updates in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw. Not vulnerable. This security issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not include the upstream change that introduced this flaw. Not vulnerable. This flaw does not affect MIT krb5 as provided in Red Hat Enterprise Linux 3, 4, and 5. Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5. Those versions are not compiled with the support for HTCP protocol. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0727. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise MRG, as it did not include support for the GFS and GFS2 file systems. For the GFS issue, it was addressed in Red Hat Enterprise Linux 3 in the gfs package, 4 in the GFS-kernel package, and 5 in the gfs-kmod package, via https://rhn.redhat.com/errata/RHSA-2010-9493.html, https://rhn.redhat.com/errata/RHSA-2010-9494.html, https://rhn.redhat.com/errata/RHSA-2010-0291.html respectively. For the GFS2 issue, it was addressed in Red Hat Enterprise Linux 5 in the kernel package via https://rhn.redhat.com/errata/RHSA-2010-0178.html. Not vulnerable. This issue did not affect the versions of the samba package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue did not affect the version of the samba3x package, as shipped with Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-0729. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 5 or Red Hat Enterprise MRG, as they do not include the internal change introducing this flaw. A future update in Red Hat Enterprise Linux 4 may address this flaw. Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue has been addressed via RHSA-2011:1219 (https://rhn.redhat.com/errata/RHSA-2011-1219.html). Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2010-0789 This issue affects Red Hat Enterprise Linux 5 because it ships fusermount suid root, however the impact of this flaw is minimized due to the fact that only members in group fuse may use it the executable is owned root:fuse and mode 4750. Red Hat Enterprise Linux 3 and 4 do not provide the fuse package. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issues does not affect the versions of emacs or xemacs as shipped with Red Hat Enterprise Linux. The movemail utility in Red Hat Enterprise Linux does not have the setgid bit set, which is required for this flaw to be exploitable. CVE-2010-0928 describes a fault-based attack on OpenSSL where an attacker has precise control over the target system environment in order to be able to introduce faults through power supply manipulation. The attack is not a viable threat to OpenSSL as used in Red Hat products. The Red Hat Security Response Team has rated this issue as having low security impact and we do not intend to issue updates to address it. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1083 This issue has been rated as having low security impact. A future update in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG may address this flaw. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1084 This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise 3 and 4, as it did not use sysfs files. A future update in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1085 This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG as they did not include the affected function. A future update in Red Hat Enterprise Linux 4 and 5 may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1086 This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for ULE (Unidirectional Lightweight Encapsulation). A future update in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1087 This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as they did not include the upstream commit 150030b7 that had introduced the problem. A future update in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1088 This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as this issue only affects kernel version 2.6.18 and onwards. A future update in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2010-1104 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=577582 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. The Linux kernel as shipped with with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for reiserfs and therefore are not affected by this issue. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for POSIX opens on lookup. For official statement, please refer to: https://www.redhat.com/security/data/cve/CVE-2010-1157.html The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2010-1160 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2010-1161 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1167 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1188 This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG, as it was fixed since version v2.6.20-rc6. It was addressed in Red Hat Enterprise Linux 5 in the kernel package via https://rhn.redhat.com/errata/RHSA-2010-0178.html. A future update in Red Hat Enterprise Linux 3 and 4 may address this flaw. com_orgchart is a Joomla 1.5.15 native component extension. Following the Joomla! Security component documentation guidelines, the component has been updated to stop Directory Traversal Vulnerability as of 05/19/2010. An update file, orgchart_controller.zip, regarding this issue can be obtained at blueflyingfish.no-ip.biz/orgchart. Per Caucho Technology, this product has been updated in version 4.0.7. This issue was resolved in version 1.2.4. The solution is to upgrade to that version. This issue was resolved and patched on 9/15/2010. SmarterTools has released SmarterStats 5.4.3925, which addresses this security vulnerability as well as the latest ASP.NET vulnerabilities announced by Microsoft. It is recommended to upgrade to the latest version as soon as possible. Download the latest release at http://www.smartertools.com/smarterstats/web-analytics-seo-software-download.aspx. Release notes are available at http://www.smartertools.com/smarterstats/releasenotes/v5.aspx. Contrary to the Wall Street Journal article referenced in this summary, the USAA Android application never allowed attackers to obtain user names or passwords. Limited transactional data was available only if one had physical possession of the device and had access (and used) extremely sophisticated forensics applications. Although this was a low risk vulnerability, USAA resolved the problem within 24 hours of notification. The resolution of the problem was validated by ViaForensics This vulnerability is limited to versions of Gallery 3 including Gallery 3 betas and Gallery 3.0. No versions of Gallery 1 or Gallery 2 are affected. Version 9.3 Patch 12 and 10.0.40 Patch 2 were available to customers in early October 2011. V9.2.11 is no longer supported and customers with support are able to upgrade to our latest release which includes the fixes. All customers were notified of the vulnerabilities and the fixes in early October 2011. Version 9.3 Patch 12 and 10.0.40 Patch 2 were available to customers in early October 2011. V9.2.11 is no longer supported and customers with support are able to upgrade to our latest release which includes the fixes. All customers were notified of the vulnerabilities and the fixes in early October 2011. Version 9.3 Patch 12 and 10.0.40 Patch 2 were available to customers in early October 2011. V9.2.11 is no longer supported and customers with support are able to upgrade to our latest release which includes the fixes. All customers were notified of the vulnerabilities and the fixes in early October 2011. The PHP is used for tracking open email report in Email Marketing Software Express. It will not be called in any of your free subscription manager PHPs. We removed showImg.php from the latest version. You can verify at http://www.epractizelabs.com/email-marketing/subscription-manager.html (click download, extract and verify the contents). LANDesk is aware of and has resolved this issue. For tracking purposes within LANDesk this vulnerability was given defect number 30319. This issue was resolved in the LD90-SP3-CP_BASE-2012-0412 component patch, available here: http://community.landesk.com/downloads/patch/component/LD90-SP3-CP_BASE-2012-0412a.exe . For details around other fixes contained in the component patch please refer to http://community.landesk.com/support/docs/DOC-24787 LANDesk is aware of and has resolved this issue. For tracking purposes within LANDesk this vulnerability was given defect number 30320. This issue was resolved in the LD90-SP3-CP_BASE-2012-0412 component patch, available here: http://community.landesk.com/downloads/patch/component/LD90-SP3-CP_BASE-2012-0412a.exe . For details around other fixes contained in the component patch please refer to http://community.landesk.com/support/docs/DOC-24787 The vulnerability has never been exploited. However to make sure our customers are protected, all newly shipped versions of the product contain the update that fixes this issue. An official firmware release that fixes the vulnerability is also available for all existing customers. The customer data stored on tape cannot be exploited by this vulnerability. An authentication is required to exploit this issue. The vulnerability has never been exploited. However to make sure our customers are protected, all newly shipped versions of the product contain the update that fixes this issue. An official firmware release that fixes the vulnerability is also available for all existing customers. The customer data stored on tape cannot be exploited by this vulnerability. An authentication is required to exploit this issue. The vulnerability has never been exploited. However to make sure our customers are protected, all newly shipped versions of the product contain the update that fixes this issue. An official firmware release that fixes the vulnerability is also available for all existing customers. The customer data stored on tape cannot be exploited by this vulnerability. The vulnerability has never been exploited. However to make sure our customers are protected, all newly shipped versions of the product contain the update that fixes this issue. An official firmware release that fixes the vulnerability is also available for all existing customers. The customer data stored on tape cannot be exploited by this vulnerability. The latest revision of the Seagate Software now includes a fix, which address the previously publicized security hole. We will be communicating this to our installed base of users both by direct email as well as Update notifications sent through the BlackArmor NAS User Interface. The software updates can be found here: http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-110/banas-110-firmware-master-dl/ http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-220/banas-220-firmware-master-dl/ http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-440/banas-440-firmware-master-dl/ Note that there are 3 different versions of the firmware update, which correlate to the number of bays in the hardware (e.g 1-bay, 2-bay and 4-bay). Centrify had addressed this issue in an update released on Thursday, Dec 13. The Deployment Manager component is updated to 2.1.5 and it is available in the Suite 2012.5 release, which can be downloaded from: http://www.centrify.com/support/downloadcenter.asp. On 30th of June 2013, an article was uploaded to Slashdot regarding two vulnerabilities in Atlassian Crowd. We had already identified and fixed the first vulnerability, which affects only standalone Crowd servers and which the author had labeled CVE-2013-3925. Patches and updated packages are available at https://jira.atlassian.com/browse/CWD-3366. We have been unable to substantiate the existence of the second alleged vulnerability. The author of the article has not contacted Atlassian and has provided no details to us, making it difficult to validate the claim. While we have been unable to confirm the existence of the second vulnerability, designated CVE-2013-3926, we are taking it seriously and have reached out to the author directly for more details. If we can confirm that there is a vulnerability, a patch will be issued and all Crowd customers will be emailed details on how to update. This vulnerability has been fixed in AlgoSec Firewall Analyzer version 6.1 and on. Customers should upgrade to Firewall Analyzer version 6.1-b157 or later, 6.2-b224 or later, or any version of 6.3 to 6.6. Note that Firewall Analyzer 6.1 to 6.4 are already past their end-of-support date, and AlgoSec recommends that customers upgrade to a supported version. As of July 2014 the latest generally available version is 6.6. This vulnerability has been fixed in AlgoSec BusinessFlow version 6.5 and on. Customers should upgrade to BusinessFlow version 6.5-b85 or later, or any version of 6.6. Note that as of July 2014 the latest generally available version is 6.6. This vulnerability has been fixed in AlgoSec FireFlow version 6.3 and on. Customers should upgrade to FireFlow version 6.3-b119 or later, 6.4-b170 or later, or any version of 6.5 or 6.6. Note that FireFlow 6.4 and below are already past their end-of-support date, and AlgoSec recommends that customers upgrade to a supported version. As of July 2014 the latest generally available version is 6.6. According to the vulnerability found in ZTE ZXV10 W300 router version 2.1.0, a mitigation measure has been adopted in the W300 general frame structure versions after 2011, which means the ZTE ZXV10 W300 router produced since 2011 has closed the telnet default function to avoid the information security incident caused by such vulnerability. If any customer has a special requirement, please follow the instructions in our product manual to open the telnet function, but ZTE will not bear the legal liability for any security incident loss that might be the consequence of this operation. If you have any questions please contact us by calling our 24h service hotline +86-755-26770188. https://www.skyboxsecurity.com/sites/default/files/file_resources/Skybox_Security_Appliance_Vulnerability.pdf Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 3, 4, or 5. The PNC Virtual Wallet (aka com.pnc.ecommerce.mobile.vw.android application 2.1.1 for Android has been replaced by PNC Virtual Wallet 2.2. Version 2.1.1 is no longer available for use." A security update has been released on 12/03/2014 to address the vulnerability in CCH Wolters Kluwer ProSystem fx Engagement. This update corrects the permissions on necessary application services. Please see the online release bulletin for instructions on how to apply the security update. <a href="https://support.cch.com/updates/Engagement/pdf/Services%20Security%20Update%20-%20Release%20Bulletin%20-%20US.pdf" rel="nofollow">https://support.cch.com/updates/Engagement/pdf/Services%20Security%20Update%20-%20Release%20Bulletin%20-%20US.pdf</a> Addressed in 5.0. Will be addressed in next 425 maintenance release. Addressed in versions 5.1.1, 4.2.5.SP650, and 4.2.4.SP854 Addressed in 5.1.1 Addressed in 5.0. Addressed in versions 5.0 and 4.2.5.SP80 Addressed in 5.1.1 Addressed in 5.1.1 Addressed in 5.0. Addressed in versions 5.0, 4.2.5.SP273, and 4.2.4.SP854 1. CVE-2011-3385 does misinterpret the original advisory JVNDB-2011-000067 2. As stated in the original advisory, Lepton is NOT vulnerable to this XSS. The vulnerability described in CVE-2014-5360 was fixed in Landesk Management Suit (LDMS) version: 9.5 SP3, 9.6 SP1, 10.0. LDMS Customers are encouraged to upgrade to the listed versions or newer The vulnerability described in CVE-2014-5361 was fixed in Landesk Management Suit (LDMS) version: 9.5 SP3, 9.6 SP1, 10.0. LDMS Customers are encouraged to upgrade to the listed versions or newer Note that the deref overlay is not enabled by default, so this vulnerability only affects sites that have explicitly configured their servers to load and enable the overlay. Since this overlay has never been documented, there are no sites outside of the OpenLDAP developer community with a legitimate reason to enable this module. Update on vulnerabilities in Web GUI Interface on Ruckus Unmanaged-APs - CVE-2016-1000213, CVE-2016-1000214, CVE-2016-1000215, CVE-2016-1000216. <br /> https://www.ruckuswireless.com/security <br /> http://b910a83a1a1fa9c20d93-2435f2f08e773abe005b52170fce6d94.r84.cf2.rackcdn.com/security/faq-security-advisory-id-062117.txt Update on vulnerabilities in Web GUI Interface on Ruckus Unmanaged-APs - CVE-2016-1000213, CVE-2016-1000214, CVE-2016-1000215, CVE-2016-1000216. <br /> https://www.ruckuswireless.com/security <br /> http://b910a83a1a1fa9c20d93-2435f2f08e773abe005b52170fce6d94.r84.cf2.rackcdn.com/security/faq-security-advisory-id-062117.txt Update on vulnerabilities in Web GUI Interface on Ruckus Unmanaged-APs - CVE-2016-1000213, CVE-2016-1000214, CVE-2016-1000215, CVE-2016-1000216. <br /> https://www.ruckuswireless.com/security <br /> http://b910a83a1a1fa9c20d93-2435f2f08e773abe005b52170fce6d94.r84.cf2.rackcdn.com/security/faq-security-advisory-id-062117.txt Update on vulnerabilities in Web GUI Interface on Ruckus Unmanaged-APs - CVE-2016-1000213, CVE-2016-1000214, CVE-2016-1000215, CVE-2016-1000216. <br /> https://www.ruckuswireless.com/security <br /> http://b910a83a1a1fa9c20d93-2435f2f08e773abe005b52170fce6d94.r84.cf2.rackcdn.com/security/faq-security-advisory-id-062117.txt This was resolved via My Cloud product firmware update 2.11.157 for the My Cloud EX2, EX4, and Mirror (Gen 1) models, and My Cloud product firmware update 2.21.126 for all other affected My Cloud models (My Cloud, PR 4100, PR2100, DL4100, DL2100, EX4100, EX2100, EX2 Ultra models). The firmware updates were made available December 20, 2016. The product firmware updates are available through the Update Firmware option on the My Cloud device itself or from the specific My Cloud product model’s support page at: http://support.wdc.com/downloads.aspx?g=904&lang=en#downloads . The vulnerability has been analyzed by us as to be exploitable through a locally authenticated user solely in this context. Thus, we assigned the following CVSS metrics and scores for the vulnerability with the CVE identifier CVE-2016-10395: <br /> CVSS version 2: AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C <br /> CVSS version 3: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C The reported vulnerability was fixed in version 3.2.0 Hotfix 3 of the affected product. The new version was made available on June-28-2017 to all customers.<br /> We encourage all customers to upgrade to at least the mentioned hot fix level. Reference web sites: <br /> https://www.integrationmatters.com/downloads/software/<br /> https://support.integrationmatters.com The reported vulnerability is fixed in version 4.0.0.39 of nPrtoect AVS.<br /> The fixed version(V4.0.0.39) can be downloaded through the link below.<br /> Please download the latest version of nProtect AVS. <br /> <br /> Download link : http://avsd.nprotect.net/avs40/setup/nProtectSetup_AVS40.exe The reported vulnerability is fixed in version 4.0.0.39 of nPrtoect AVS.<br /> The fixed version(V4.0.0.39) can be downloaded through the link below.<br /> Please download the latest version of nProtect AVS. <br /> <br /> Download link : http://avsd.nprotect.net/avs40/setup/nProtectSetup_AVS40.exe The reported vulnerability is fixed in version 4.0.0.39 of nPrtoect AVS.<br /> The fixed version(V4.0.0.39) can be downloaded through the link below.<br /> Please download the latest version of nProtect AVS. <br /> <br /> Download link : http://avsd.nprotect.net/avs40/setup/nProtectSetup_AVS40.exe The reported vulnerability is fixed in version 4.0.0.39 of nPrtoect AVS.<br /> The fixed version(V4.0.0.39) can be downloaded through the link below.<br /> Please download the latest version of nProtect AVS. <br /> <br /> Download link : http://avsd.nprotect.net/avs40/setup/nProtectSetup_AVS40.exe For a project specific advisory see: https://github.com/libyal/libevt/issues/5. For more information please visit https://github.com/libyal/libpff/issues/66. See https://github.com/libyal/libfsntfs/issues/8 for more information. See https://github.com/libyal/libfsntfs/issues/8 for more information. See https://github.com/libyal/libfsntfs/issues/8 for more information. See https://github.com/libyal/libfsntfs/issues/8 for more information. See https://github.com/libyal/libfsntfs/issues/8 for more information. For more information please visit https://github.com/libyal/liblnk/issues/33. For more information please visit https://github.com/libyal/liblnk/issues/33. For more information please visit https://github.com/libyal/liblnk/issues/33. Starting with software version 5.10 (e-series), it is possible to set system administrator credentials. Universal Robots recommends that all users change the default password and securely document the password. CB2 and CB3 cobots are designed to be operating in factory networks where security relies on boundary protection (firewalls) and trusted clients on the network. They must only be connected to trusted networks and operated by authorized personnel. Software version 5.10 brings improvements to usability and configurability of Secure Shell Protocol (SSH), such that tunneling can be used to secure primary, secondary, RT, RTDE, DashBoard server and other interfaces. Universal Robots recommends that all users use SSH tunneling to access these interfaces in applications requiring authentication and encryption. Additionally, SW version 5.10 includes a built-in configurable firewall, allowing fine-grained restrictions of remote access, and number of other security improvements. Universal Robots (UR) recommends always using the latest UR software, as security improvements will be rolled out continuously. CB2 and CB3 cobots are designed to be operating in factory networks where security relies on boundary protection (firewalls) and trusted clients on the network. They must only be connected to trusted networks and operated by authorized personnel. This issue has been resolved in the latest release of libredwg-0.6. See https://savannah.gnu.org/forum/forum.php?forum_id=9211. This issue has been resolved in the latest release of libredwg-0.6. See https://savannah.gnu.org/forum/forum.php?forum_id=9211. This issue has been resolved in the latest release of libredwg-0.6. See https://savannah.gnu.org/forum/forum.php?forum_id=9211. Glen Dimplex Deutschland GmbH does not deliver the Carel pCOweb card with an open port 10000 or 10001. The shown password ‘1234’ on the webpage is not being used in any current application. It was being used in former times together with a connection via modem, this is not realized anymore. More details to the current application: www.dimplex.de/wiki. After an attacker gains access, they would need to invest additional effort in preparation or execution of the vulnerable component in order to use this vulnerability. Jalios confirms this vulnerability which affects a plugin (extension) of Jalios JPlatform which must only be used in development environment : the DevTools Plugin. All our SaaS customer were already protected from this vulnerability as this plugin is not enabled in their production environment. All our others customers were informed of the vulnerability as soon as the official fix was available. Fixed versions of the DevTools plugin have officially been published for our customers : https://community.jalios.com/jcms/jc2_361389/en/dev-tools-plugin-8-1 We would like to thanks Ricardo José Ruiz Fernández for his responsible disclosure. Software version 5.10 brings improvements to usability and configurability of Secure Shell Protocol (SSH), such that tunneling can be used to secure primary, secondary, RT, RTDE, DashBoard server and other interfaces. Universal Robots recommends that all users use SSH tunneling to access these interfaces in applications requiring authentication and encryption. Additionally, SW version 5.10 includes a built-in configurable firewall, allowing fine-grained restrictions of remote access, and number of other security improvements. Universal Robots (UR) recommends always using the latest UR software, as security improvements will be rolled out continuously. CB2 and CB3 cobots are designed to be operating in factory networks where security relies on boundary protection (firewalls) and trusted clients on the network. They must only be connected to trusted networks and operated by authorized personnel. Software version 5.10 brings improvements to usability and configurability of Secure Shell Protocol (SSH), such that tunneling can be used to secure primary, secondary, RT, RTDE, DashBoard server and other interfaces. Universal Robots recommends that all users use SSH tunneling to access these interfaces in applications requiring authentication and encryption. Additionally, SW version 5.10 includes a built-in configurable firewall, allowing fine-grained restrictions of remote access, and number of other security improvements. Universal Robots (UR) recommends always using the latest UR software, as security improvements will be rolled out continuously. CB2 and CB3 cobots are designed to be operating in factory networks where security relies on boundary protection (firewalls) and trusted clients on the network. They must only be connected to trusted networks and operated by authorized personnel. The vulnerability CVE-2020-12133 has been fixed at version 2.8.5.4 released May,18th 2020. Customers are advised to update to the latest version, or contact your integrator’s Technical Support if needed. The issue outlined in the CVE has been addressed in the latest release of Hobbes as of September 29, 2020. More information on the usage of Hobbes is detailed in the README.md of the project at https://github.com/Morgan-Stanley/hobbes Portainer has received no detail of this CVE report. There is also no response after multiple attempts of contacting the original source, CNVD.