Low: Red Hat Network Satellite Server security update

Advisory:	RHSA-2008:0524-4
Type:	Security Advisory
Severity:	Low
Issued on:	2008-06-30
Last updated on:	2008-06-30
Affected Products:	Red Hat Network Satellite (v. 4.2 for RHEL 3) Red Hat Network Satellite (v. 4.2 for RHEL 4)
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2004-0687 CVE-2004-0688 CVE-2004-0885 CVE-2004-0914 CVE-2005-0605 CVE-2005-2090 CVE-2005-3510 CVE-2005-3964 CVE-2005-4838 CVE-2006-0254 CVE-2006-0898 CVE-2006-1329 CVE-2006-3835 CVE-2006-5752 CVE-2006-7195 CVE-2006-7196 CVE-2006-7197 CVE-2007-0243 CVE-2007-0450 CVE-2007-1349 CVE-2007-1355 CVE-2007-1358 CVE-2007-1860 CVE-2007-2435 CVE-2007-2449 CVE-2007-2450 CVE-2007-2788 CVE-2007-2789 CVE-2007-3304 CVE-2007-3382 CVE-2007-3385 CVE-2007-4465 CVE-2007-5000 CVE-2007-5461 CVE-2007-6306 CVE-2007-6388 CVE-2008-0128

Details

Red Hat Network Satellite Server version 4.2.3 is now available. This
update includes fixes for a number of security issues in Red Hat Network
Satellite Server components.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

This release corrects several security vulnerabilities in various
components shipped as part of the Red Hat Network Satellite Server 4.2. In
a typical operating environment, these components are not exposed to users
of Satellite Server in a vulnerable manner. These security updates will
reduce risk in unique Satellite Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could
result in a cross-site scripting, denial-of-service, or information
disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197,
CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329)

Multiple cross-site scripting flaws were fixed in the image map feature in
the JFreeChart package. (CVE-2007-6306)

Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243,
CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)

Multiple flaws were fixed in the OpenMotif package. (CVE-2004-0687,
CVE-2004-0688, CVE-2004-0914, CVE-2005-3964, CVE-2005-0605)

A flaw which could result in weak encryption was fixed in the
perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128,
CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355,
CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195,
CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)

Users of Red Hat Network Satellite Server 4.2 are advised to upgrade to
4.2.3, which resolves these issues.

Solution

This update is available via Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.0.0/html/Installation_Guide/s1-maintenance-update.html

Updated packages

Red Hat Network Satellite (v. 4.2 for RHEL 3)

IA-32:
jabberd-2.0s10-3.37.rhn.i386.rpm	`0a46e522e813a3bfe3535ca160e79d84`
java-1.4.2-ibm-1.4.2.10-1jpp.2.el3.i386.rpm	`8b59d4cf267b34a33d9b1006ab1d073d`
java-1.4.2-ibm-devel-1.4.2.10-1jpp.2.el3.i386.rpm	`d14c869079af00011765886a183cc6bf`
jfreechart-0.9.20-3.rhn.noarch.rpm	`cfc7603d28a252820ca9f9fa299b8f4f`
openmotif21-2.1.30-9.RHEL3.8.i386.rpm	`f967a096613c81481b1c75fa6527839b`
perl-Crypt-CBC-2.24-1.el3.noarch.rpm	`560c4c4348b1724faade224bae9df6cb`
rhn-apache-1.3.27-36.rhn.rhel3.i386.rpm	`cb3a9fe3d812d4e5b1d0549e8e383b70`
rhn-modjk-ap13-1.2.23-2rhn.rhel3.i386.rpm	`1cc2bb860f83c2cf6673d2a3f40238ac`
rhn-modperl-1.29-16.rhel3.i386.rpm	`7993bda4c88dc6c4e1d2ce0cad27a31f`
rhn-modssl-2.8.12-8.rhn.10.rhel3.i386.rpm	`1b016725a27106c0b767fc8d6422ce8d`
tomcat5-5.0.30-0jpp_10rh.noarch.rpm	`0b2b76b8b4354872ba7446bfcc192057`

Red Hat Network Satellite (v. 4.2 for RHEL 4)

IA-32:
jabberd-2.0s10-3.38.rhn.i386.rpm	`440264de62e1ae9823420f65bb300f21`
java-1.4.2-ibm-1.4.2.10-1jpp.2.el4.i386.rpm	`fe4df09b5a85c2eca36e7b902d0b2eb9`
java-1.4.2-ibm-devel-1.4.2.10-1jpp.2.el4.i386.rpm	`c7ed9ed7678804afc67f53c272ecfa03`
jfreechart-0.9.20-3.rhn.noarch.rpm	`cfc7603d28a252820ca9f9fa299b8f4f`
openmotif21-2.1.30-11.RHEL4.6.i386.rpm	`b6c22bbfc3e1f050e550c168b44cf549`
perl-Crypt-CBC-2.24-1.el4.noarch.rpm	`035aa79fece479a9264aa58309398e16`
rhn-apache-1.3.27-36.rhn.rhel4.i386.rpm	`47d7b59505e01838fc950fff48a10e30`
rhn-modjk-ap13-1.2.23-2rhn.rhel4.i386.rpm	`279d911353870b08ab9ed0bfecc36270`
rhn-modperl-1.29-16.rhel4.i386.rpm	`b43b815d38624d07da55121b3917a2f3`
rhn-modssl-2.8.12-8.rhn.10.rhel4.i386.rpm	`2942d45773576250c6092b7710f0d5a9`
tomcat5-5.0.30-0jpp_10rh.noarch.rpm	`0b2b76b8b4354872ba7446bfcc192057`

(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

449337 - Bring various components of Satellite Server 4.2 up to date

References

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/