Skip to navigation

Security Advisory Moderate: Red Hat Network Satellite Server security update

Advisory: RHSA-2008:0261-4
Type: Security Advisory
Severity: Moderate
Issued on: 2008-05-20
Last updated on: 2008-05-20
Affected Products: Red Hat Network Satellite (v. 5.0 for RHEL 4)
CVEs (cve.mitre.org): CVE-2004-0885
CVE-2005-0605
CVE-2005-2090
CVE-2005-3510
CVE-2005-3964
CVE-2005-4838
CVE-2006-0254
CVE-2006-0898
CVE-2006-1329
CVE-2006-3835
CVE-2006-5752
CVE-2006-7195
CVE-2006-7196
CVE-2006-7197
CVE-2007-0243
CVE-2007-0450
CVE-2007-1349
CVE-2007-1355
CVE-2007-1358
CVE-2007-1860
CVE-2007-2435
CVE-2007-2449
CVE-2007-2450
CVE-2007-2788
CVE-2007-2789
CVE-2007-3304
CVE-2007-3382
CVE-2007-3385
CVE-2007-4465
CVE-2007-5000
CVE-2007-5461
CVE-2007-5961
CVE-2007-6306
CVE-2007-6388
CVE-2008-0128

Details

Red Hat Network Satellite Server version 5.0.2 is now available. This
update includes fixes for a number of security issues in Red Hat Network
Satellite Server components.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

During an internal security review, a cross-site scripting flaw was found
that affected the Red Hat Network channel search feature. (CVE-2007-5961)

This release also corrects several security vulnerabilities in various
components shipped as part of the Red Hat Network Satellite Server. In a
typical operating environment, these components are not exposed to users of
Satellite Server in a vulnerable manner. These security updates will reduce
risk in unique Satellite Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could
result in a cross-site scripting, denial-of-service, or information
disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197,
CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329)

Multiple cross-site scripting flaws were fixed in the image map feature in
the JFreeChart package. (CVE-2007-6306)

Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243,
CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)

Two arbitrary code execution flaws were fixed in the OpenMotif package.
(CVE-2005-3964, CVE-2005-0605)

A flaw which could result in weak encryption was fixed in the
perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128,
CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355,
CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195,
CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)

Users of Red Hat Network Satellite Server 5.0 are advised to upgrade to
5.0.2, which resolves these issues.


Solution

This update is available via Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.0.0/html/Installation_Guide/s1-maintenance-update.html

Updated packages

Red Hat Network Satellite (v. 5.0 for RHEL 4)
SRPMS:
openmotif21-2.1.30-11.RHEL4.6.src.rpm     MD5: 8577b23d018284251736940b53994664
perl-Crypt-CBC-2.24-1.el4.src.rpm     MD5: 7e9eebbedaa008aaabad10bf72e2d530
 
IA-32:
jabberd-2.0s10-3.38.rhn.i386.rpm     MD5: 440264de62e1ae9823420f65bb300f21
java-1.4.2-ibm-1.4.2.10-1jpp.2.el4.i386.rpm     MD5: fe4df09b5a85c2eca36e7b902d0b2eb9
java-1.4.2-ibm-devel-1.4.2.10-1jpp.2.el4.i386.rpm     MD5: c7ed9ed7678804afc67f53c272ecfa03
jfreechart-0.9.20-3.rhn.noarch.rpm     MD5: cfc7603d28a252820ca9f9fa299b8f4f
openmotif21-2.1.30-11.RHEL4.6.i386.rpm     MD5: b6c22bbfc3e1f050e550c168b44cf549
perl-Crypt-CBC-2.24-1.el4.noarch.rpm     MD5: 035aa79fece479a9264aa58309398e16
rhn-apache-1.3.27-36.rhn.rhel4.i386.rpm     MD5: 47d7b59505e01838fc950fff48a10e30
rhn-modjk-ap13-1.2.23-2rhn.rhel4.i386.rpm     MD5: 279d911353870b08ab9ed0bfecc36270
rhn-modperl-1.29-16.rhel4.i386.rpm     MD5: b43b815d38624d07da55121b3917a2f3
rhn-modssl-2.8.12-8.rhn.10.rhel4.i386.rpm     MD5: 2942d45773576250c6092b7710f0d5a9
tomcat5-5.0.30-0jpp_10rh.noarch.rpm
File outdated by:  RHSA-2008:1007		     MD5: 0b2b76b8b4354872ba7446bfcc192057
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

396641 - CVE-2007-5961 RHN XSS flaw
444136 - Bring various components of Satellite Server 5.0 up to date


References

https://www.redhat.com/security/data/cve/CVE-2004-0885.html
https://www.redhat.com/security/data/cve/CVE-2005-0605.html
https://www.redhat.com/security/data/cve/CVE-2005-2090.html
https://www.redhat.com/security/data/cve/CVE-2005-3510.html
https://www.redhat.com/security/data/cve/CVE-2005-3964.html
https://www.redhat.com/security/data/cve/CVE-2005-4838.html
https://www.redhat.com/security/data/cve/CVE-2006-0254.html
https://www.redhat.com/security/data/cve/CVE-2006-0898.html
https://www.redhat.com/security/data/cve/CVE-2006-1329.html
https://www.redhat.com/security/data/cve/CVE-2006-3835.html
https://www.redhat.com/security/data/cve/CVE-2006-5752.html
https://www.redhat.com/security/data/cve/CVE-2006-7195.html
https://www.redhat.com/security/data/cve/CVE-2006-7196.html
https://www.redhat.com/security/data/cve/CVE-2006-7197.html
https://www.redhat.com/security/data/cve/CVE-2007-0243.html
https://www.redhat.com/security/data/cve/CVE-2007-0450.html
https://www.redhat.com/security/data/cve/CVE-2007-1349.html
https://www.redhat.com/security/data/cve/CVE-2007-1355.html
https://www.redhat.com/security/data/cve/CVE-2007-1358.html
https://www.redhat.com/security/data/cve/CVE-2007-1860.html
https://www.redhat.com/security/data/cve/CVE-2007-2435.html
https://www.redhat.com/security/data/cve/CVE-2007-2449.html
https://www.redhat.com/security/data/cve/CVE-2007-2450.html
https://www.redhat.com/security/data/cve/CVE-2007-2788.html
https://www.redhat.com/security/data/cve/CVE-2007-2789.html
https://www.redhat.com/security/data/cve/CVE-2007-3304.html
https://www.redhat.com/security/data/cve/CVE-2007-3382.html
https://www.redhat.com/security/data/cve/CVE-2007-3385.html
https://www.redhat.com/security/data/cve/CVE-2007-4465.html
https://www.redhat.com/security/data/cve/CVE-2007-5000.html
https://www.redhat.com/security/data/cve/CVE-2007-5461.html
https://www.redhat.com/security/data/cve/CVE-2007-5961.html
https://www.redhat.com/security/data/cve/CVE-2007-6306.html
https://www.redhat.com/security/data/cve/CVE-2007-6388.html
https://www.redhat.com/security/data/cve/CVE-2008-0128.html
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/