Download
| Alert*
oval:org.secpod.oval:def:34292
Apple Mac OS X Server 10.9 (Maverick) is installed oval:org.secpod.oval:def:205734 Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 oval:org.secpod.oval:def:205743 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 Af ... oval:org.secpod.oval:def:205524 Network Block Device is a protocol for accessing hard disks and other disk-like devices over the network. The nbdkit toolkit utilizes NBD to create servers with minimal dependencies. The package contains plug-in support for the C and Python programming languages. Security Fix: * nbdkit: denial of s ... oval:org.secpod.oval:def:205646 Universal Office Converter is a command line tool to convert any document format that LibreOffice can import to any document format that LibreOffice can export. It makes use of the LibreOffice"s UNO bindings for non-interactive conversion of documents. Security Fix: * unoconv: mishandling of pathna ... oval:org.secpod.oval:def:205258 GVFS is the GNOME Desktop Virtual File System layer that allows users to easily access local and remote data using File Transfer Protocol , Secure Shell File Transfer Protocol , Web Distributed Authoring and Versioning , Common Internet File System , Server Message Block , and other protocols. GVFS ... oval:org.secpod.oval:def:205349 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: * mercurial: Buffer underflow in mpatch.c:mpatch_apply * mercurial: HTTP server permissions bypass * mercurial: Missing check for fragment start posit ... oval:org.secpod.oval:def:203487 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security . The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One parsing and structures management, and Distinguished Encoding Rules encoding and ... oval:org.secpod.oval:def:203484 The kdenetwork packages contain networking applications for the K Desktop Environment . Krfb Desktop Sharing, which is a part of the kdenetwork package, is a server application that allows session sharing between users. Krfb uses the LibVNCServer library. A NULL pointer dereference flaw was found in ... oval:org.secpod.oval:def:203489 LibVNCServer is a library that allows for easy creation of VNC server or client functionality. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way screen sizes were handled by LibVNCServer. A malicious VNC server could use this flaw to cause a client to crash or, ... oval:org.secpod.oval:def:203471 The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode to write an arbitrary file to a location writable to by the user running Wget ... oval:org.secpod.oval:def:203470 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU"s VGA emulator accessed frame buffer memory for high resolution displays. A ... oval:org.secpod.oval:def:203477 The cups-filters package contains backends, filters, and other software that was once part of the core CUPS distribution but is now maintained independently. An out-of-bounds read flaw was found in the way the process_browse_data function of cups-browsed handled certain browse packets. A remote atta ... oval:org.secpod.oval:def:204795 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang . Security Fix: * golang: arbitrary code execution during "go get" or "go get -d" * golang: smtp.PlainAuth susceptible to man-in-the-m ... oval:org.secpod.oval:def:204788 The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fix: * gcc: GCC generates incorrect code for RDRAND/RDSEED intrinsics For more details about the security issue, including the impact, a CVSS score, and other re ... oval:org.secpod.oval:def:203456 OpenSSL is a toolkit that implements the Secure Sockets Layer, Transport Layer Security, and Datagram Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. This update adds support for the TLS Fallback Signaling Cipher Suite Value, which can be used to ... oval:org.secpod.oval:def:203491 The wpa_supplicant package contains an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. It implements key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A ... oval:org.secpod.oval:def:203880 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit for compiling and executing Java programs. Security Fix: * An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet cou ... oval:org.secpod.oval:def:203887 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:204734 The linux-firmware packages contain all of the firmware files that are required by various devices to operate. This update supersedes microcode provided by Red Hat with the CVE-2017-5715 CPU branch injection vulnerability mitigation. Further testing has uncovered problems with the microcode provid ... oval:org.secpod.oval:def:203884 The java-1.8.0-openjdk packages contain the latest version of the Open Java Development Kit , OpenJDK 8. These packages provide a fully compliant implementation of Java SE 8. Security Fix: * An improper type safety check was discovered in the Hotspot component. An untrusted Java application or apple ... oval:org.secpod.oval:def:204731 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204736 The microcode_ctl packages provide microcode updates for Intel and AMD processors. This update supersedes microcode provided by Red Hat with the CVE-2017-5715 CPU branch injection vulnerability mitigation. Further testing has uncovered problems with the microcode provided along with the Spectre mi ... oval:org.secpod.oval:def:203404 The mod_wsgi adapter is an Apache module that provides a WSGI-compliant interface for hosting Python-based web applications within Apache. It was found that mod_wsgi did not properly drop privileges if the call to setuid failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applicat ... oval:org.secpod.oval:def:204723 The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions . There are three primary variants of t ... oval:org.secpod.oval:def:204721 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.1 ESR. Security Fix: * A privacy flaw was discovered in Firefox. In Private Browsing mode, a web worker could write persistent data to IndexedDB, which was not cleared when exiting and would persist across mu ... oval:org.secpod.oval:def:204726 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs ha ... oval:org.secpod.oval:def:204724 The microcode_ctl packages provide microcode updates for Intel and AMD processors. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions . There are three primary variants of the issue which differ in the ... oval:org.secpod.oval:def:204728 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * An industry-wide issue was found in the way many modern micro ... oval:org.secpod.oval:def:31191 The apache2 server's ServerTokens value should be set appropriately oval:org.secpod.oval:def:31192 The apache2 server's ServerSignature value should be set appropriately. oval:org.secpod.oval:def:31197 Disable Server Side Includes (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31198 Disable MIME Magic (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31199 Disable WebDAV (Distributed Authoring and Versioning) (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31193 Disable HTTP Digest Authentication (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31194 Disable HTTP mod_rewrite (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31195 Disable LDAP Support (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:203860 PostgreSQL is an advanced object-relational database management system . An integer overflow flaw, leading to a heap-based buffer overflow, was found in the PostgreSQL handling code for regular expressions. A remote attacker could use a specially crafted regular expression to cause PostgreSQL to cra ... oval:org.secpod.oval:def:203864 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw was found in the way Samba handled ACLs on symbolic links. An authenticated user could use this fl ... oval:org.secpod.oval:def:204716 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204715 Liblouis is an open source braille translator and back-translator named in honor of Louis Braille. It features support for computer and literary braille, supports contracted and uncontracted translation for many languages and has support for hyphenation. New languages can easily be added through tab ... oval:org.secpod.oval:def:204714 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:31181 The vsftpd service should be disabled if possible. oval:org.secpod.oval:def:31189 The httpd service should be disabled if possible. oval:org.secpod.oval:def:31183 The RPM package vsftpd should be installed. oval:org.secpod.oval:def:31179 The named service should be disabled if possible. oval:org.secpod.oval:def:203853 PostgreSQL is an advanced object-relational database management system . An integer overflow flaw, leading to a heap-based buffer overflow, was found in the PostgreSQL handling code for regular expressions. A remote attacker could use a specially crafted regular expression to cause PostgreSQL to cra ... oval:org.secpod.oval:def:203857 Xerces-C is a validating XML parser written in a portable subset of C++. It was discovered that the Xerces-C XML parser did not properly process certain XML input. By providing specially crafted XML data to an application using Xerces-C for XML processing, a remote attacker could exploit this flaw t ... oval:org.secpod.oval:def:203856 The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use signific ... oval:org.secpod.oval:def:204703 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: * A null pointer dereference flaw was found in libgd. An attacker could use a specially-crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. * An intege ... oval:org.secpod.oval:def:204709 The procmail packages contain a mail processing tool that can be used to create mail servers, mailing lists, sort incoming mail into separate folders or files, preprocess mail, start any program upon mail arrival, or automatically forward selected incoming mail. Security Fix: * A heap-based buffer o ... oval:org.secpod.oval:def:204707 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a maliciou ... oval:org.secpod.oval:def:204706 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A use-after-free flaw was found in the way samba servers handled c ... oval:org.secpod.oval:def:204770 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:204774 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:204772 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.2 ESR. Security Fix: * Mozilla: Vorbis audio processing out of bounds write For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:203445 Polkit-qt is a library that lets developers use the PolicyKit API through a Qt-styled API. The polkit-qt library is used by the KDE Authentication Agent , which is a part of kdelibs. It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a rac ... oval:org.secpod.oval:def:204763 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:204760 The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector. Security Fix: * quagga: Double free v ... oval:org.secpod.oval:def:204767 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204751 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204755 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204754 The gcab package contains a utility for managing the Cabinet archives. It can list, extract, and create Microsoft cabinet files. Security Fix: * gcab: Extracting malformed .cab files causes stack smashing potentially leading to arbitrary code execution For more details about the security issue, in ... oval:org.secpod.oval:def:203427 HAProxy provides high availability, load balancing, and proxying for TCP and HTTP-based applications. A buffer overflow flaw was discovered in the way HAProxy handled, under very specific conditions, data uploaded from a client. A remote attacker could possibly use this flaw to crash HAProxy. All h ... oval:org.secpod.oval:def:204745 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204744 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * A stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search fil ... oval:org.secpod.oval:def:204743 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204749 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:204746 Nautilus is the file manager and graphical shell for the GNOME desktop. Security Fix: * An untrusted .desktop file with executable permission set could choose its displayed name and icon, and execute commands without warning when opened by the user. An attacker could use this flaw to trick a user in ... oval:org.secpod.oval:def:31133 The RPM package xorg-x11-server-common should be removed. oval:org.secpod.oval:def:31134 The avahi-daemon service should be disabled if possible. oval:org.secpod.oval:def:31130 The sshd service should be disabled if possible. oval:org.secpod.oval:def:31129 The atd service should be disabled if possible. oval:org.secpod.oval:def:31124 The sysstat service should be disabled if possible. oval:org.secpod.oval:def:31127 The crond service should be enabled if possible. oval:org.secpod.oval:def:203801 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. ... oval:org.secpod.oval:def:203804 The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. A denial of service flaw was found in the ldb_wildcard_compare function of libldb. A remote attacker could send a specially crafted packet that, when processe ... oval:org.secpod.oval:def:31120 The rhnsd service should be disabled if possible. oval:org.secpod.oval:def:31121 The rhsmcertd service should be disabled if possible. oval:org.secpod.oval:def:31122 The saslauthd service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31123 The smartd service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31117 The Apache qpidd service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31118 The quota_nld service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31119 The rdisc service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31113 The oddjobd service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31114 The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. oval:org.secpod.oval:def:31115 The portreserve service should be disabled if possible. oval:org.secpod.oval:def:31116 The psacct service should be enabled if possible. oval:org.secpod.oval:def:31110 The messagebus service should be disabled if possible. oval:org.secpod.oval:def:31111 The netconsole service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31112 The ntpdate service should be disabled if possible. oval:org.secpod.oval:def:31106 The cpuspeed service should be disabled if possible. oval:org.secpod.oval:def:31107 The irqbalance service should be enabled if possible. oval:org.secpod.oval:def:31108 The kdump service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31109 The mdmonitor service should be disabled if possible. oval:org.secpod.oval:def:31102 The certmonger service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31103 The nosuid mount option should be set for temporary storage partitions such as /dev/shm. The suid/sgid permissions should not be required in these world-writable directories. oval:org.secpod.oval:def:31104 The cgconfig service should be disabled if possible. oval:org.secpod.oval:def:31105 The cgred service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31100 The TFTP daemon should use secure mode. oval:org.secpod.oval:def:31101 The acpid service should be disabled if possible. oval:org.secpod.oval:def:31170 The mountd service should be configured to use a static port or a dynamic portmapper port as appropriate oval:org.secpod.oval:def:31175 The nosuid option should be enabled for all NFS mounts in /etc/fstab. oval:org.secpod.oval:def:31176 Root squashing should be enabled or disabled as appropriate for all NFS shares. oval:org.secpod.oval:def:31177 Restriction of NFS clients to privileged ports should be enabled or disabled as appropriate oval:org.secpod.oval:def:31172 The nfs service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31173 The rpcsvcgssd service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31174 The nodev option should be enabled for all NFS mounts in /etc/fstab. oval:org.secpod.oval:def:203843 The 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. An infinite-loop vulnerability was discovered in the 389 directory server, where the server failed to cor ... oval:org.secpod.oval:def:31168 The autofs service should be disabled if possible. oval:org.secpod.oval:def:203842 PolicyKit is a toolkit for defining and handling authorizations. A denial of service flaw was found in how polkit handled authorization requests. A local, unprivileged user could send malicious requests to polkit, which could then cause the polkit daemon to corrupt its memory and crash. All polkit ... oval:org.secpod.oval:def:31169 Configure statd to use static port (/etc/sysconfig/nfs) should be configured appropriately. oval:org.secpod.oval:def:31164 The rpcidmapd service should be disabled if possible. oval:org.secpod.oval:def:31165 The netfs service should be disabled if possible. oval:org.secpod.oval:def:31166 The lockd service should be configured to use a static port or a dynamic portmapper port for TCP as appropriate. oval:org.secpod.oval:def:31167 The lockd service should be configured to use a static port or a dynamic portmapper port for UDP as appropriate. oval:org.secpod.oval:def:31162 The nfslock service should be disabled if possible. oval:org.secpod.oval:def:31163 The rpcgssd service should be disabled if possible. oval:org.secpod.oval:def:31159 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:31155 The postfix service should be enabled if possible. oval:org.secpod.oval:def:31151 DHCP configuration should be static for all interfaces. oval:org.secpod.oval:def:31152 The ntpd service should be enable or disable as appropriate. oval:org.secpod.oval:def:31146 The dynamic DNS feature of the DHCP server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31147 Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives oval:org.secpod.oval:def:31148 DHCPDECLINE messages should be accepted or denied by the DHCP server as appropriate oval:org.secpod.oval:def:31149 BOOTP queries should be accepted or denied by the DHCP server as appropriate. oval:org.secpod.oval:def:31142 The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing ca ... oval:org.secpod.oval:def:31143 By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers ... oval:org.secpod.oval:def:31144 The dhcpd service should be disabled if possible. oval:org.secpod.oval:def:31140 Avahi publishing of IP addresses should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31141 The cups service should be disabled if possible. oval:org.secpod.oval:def:31135 The Avahi daemon should be configured to serve via Ipv6 or not as appropriate. oval:org.secpod.oval:def:31136 Look for argument "nousb" in the kernel line in /etc/grub.conf oval:org.secpod.oval:def:31137 Avahi should be configured to accept packets with a TTL field not equal to 255 or not as appropriate. oval:org.secpod.oval:def:31138 Avahi should be configured to allow other stacks from binding to port 5353 or not as appropriate. oval:org.secpod.oval:def:203812 The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote ... oval:org.secpod.oval:def:48097 libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully auth ... oval:org.secpod.oval:def:31211 Directory permissions for /var/log/httpd should be set appropriately. oval:org.secpod.oval:def:31205 Disable CGI Support (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31206 Restrict Root Directory (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31208 Restrict Web Directory (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31201 Disable Web Server Configuration Display (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31202 Disable URL Correction on Misspelled Entries (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31203 The HTTPD Proxy Module Support should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31204 Disable Cache Support (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31209 mod_ssl package installation should be configured appropriately. oval:org.secpod.oval:def:31200 Disable Server Activity Status (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:204087 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: * It was found that squid did not properly remove connection specific headers when answering conditional requests using a cached request. A remote attacker could send a spec ... oval:org.secpod.oval:def:204072 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix: * An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer"s VMware ... oval:org.secpod.oval:def:204071 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix: * Multiple flaws were discovered in GStreamer"s FLC/FLI/FLX ... oval:org.secpod.oval:def:204070 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix: * Multiple flaws were discovered in GStreamer"s FLC/FLI/FLX m ... oval:org.secpod.oval:def:204066 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix: * It was discovered that the default IdM password policies that lock out accounts after a certain number of failed ... oval:org.secpod.oval:def:204069 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix: * An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer"s VMware ... oval:org.secpod.oval:def:204068 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was found that the ghostscript functions getenv, filenameforall and .libfile did not h ... oval:org.secpod.oval:def:203592 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled trust anchor management. A remote attacker coul ... oval:org.secpod.oval:def:203590 The libxml2 library is a development toolbox providing the implementation of various XML standards. It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked ag ... oval:org.secpod.oval:def:203599 The flac packages contain a decoder and an encoder for the FLAC audio file format. A buffer overflow flaw was found in the way flac decoded FLAC audio files. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash or execute arbit ... oval:org.secpod.oval:def:203585 PostgreSQL is an advanced object-relational database management system . An information leak flaw was found in the way the PostgreSQL database server handled certain error messages. An authenticated database user could possibly obtain the results of a query they did not have privileges to execute by ... oval:org.secpod.oval:def:203584 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled ... oval:org.secpod.oval:def:204492 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.1.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204497 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was found that ghostscript did not properly validate the parameters passed to the .rsd ... oval:org.secpod.oval:def:204484 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.1.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204009 Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix: * It was discovered that python-twisted-web used the value of the Proxy header from ... oval:org.secpod.oval:def:204473 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204470 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user"s browser. A remote attac ... oval:org.secpod.oval:def:204476 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests ... oval:org.secpod.oval:def:204474 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix: * A race condition was found in the way su handled the management of child pr ... oval:org.secpod.oval:def:204479 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A denial of service flaw was found in the way BIND handled a query respo ... oval:org.secpod.oval:def:204478 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * A heap buffer overflow flaw was found in QEMU"s Cirrus CLGD 54xx VGA emulator"s V ... oval:org.secpod.oval:def:204469 The icoutils are a set of programs for extracting and converting images in Microsoft Windows icon and cursor files. These files usually have the extension .ico or .cur, but they can also be embedded in executables or libraries. Security Fix: * Multiple vulnerabilities were found in icoutils, in the ... oval:org.secpod.oval:def:204467 Mozilla Firefox is an open source web browser. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. Red Hat would lik ... oval:org.secpod.oval:def:204850 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:204855 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:204856 OpenSLP is an open source implementation of the Service Location Protocol which is an Internet Engineering Task Force standards track protocol and provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networ ... oval:org.secpod.oval:def:203980 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang . Security Fix: * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable &q ... oval:org.secpod.oval:def:203509 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. This update adds support for the TLS Fallback Sig ... oval:org.secpod.oval:def:204838 The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System. Security Fix: * pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access For more details about the security issue, including the impact, a CVSS score, ... oval:org.secpod.oval:def:204821 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c For more details about the security issue, including the impact, a CVSS score, and other re ... oval:org.secpod.oval:def:204820 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:203972 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A flaw was found in the way Samba initiated signed DCE/RPC connect ... oval:org.secpod.oval:def:204826 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: ns-slapd crash via large filter value in ldapsearch For more details about the ... oval:org.secpod.oval:def:204823 The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fix: * pcs: Privilege escalation via authorized user malicious REST call * pcs: Debug parameter removal bypass, allowing information disclosure * rack-protection: Timing attack in authen ... oval:org.secpod.oval:def:204827 PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API. Security Fix: * PackageKit: authentication bypass allows to install signed packages without administrator privileges For more details about the ... oval:org.secpod.oval:def:204891 The SpamAssassin tool provides a way to reduce unsolicited commercial email from incoming email. Security Fix: * spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service * spamassassin: Local user code injection in the meta rule syntax For more ... oval:org.secpod.oval:def:204895 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.3.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 * Mozilla: Crash with nested event loops * Mozill ... oval:org.secpod.oval:def:20458400 The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can capture and display the packet headers on a particular network interface or on all interfaces. The following packages have been upgraded to a later upstream version: tcpdump . Security Fix: * Mu ... oval:org.secpod.oval:def:203553 YAML is a data serialization format designed for human readability and interaction with scripting languages. LibYAML is a YAML parser and emitter written in C. An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input ... oval:org.secpod.oval:def:204882 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: sandbox escape in D-Bus filtering by a crafted authentication handshake For more details about the security issue, including the impact, a CVSS score, and other related info ... oval:org.secpod.oval:def:204881 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:204886 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:203558 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion reposi ... oval:org.secpod.oval:def:204873 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: processing of certain records when "deny-answer-aliases" ... oval:org.secpod.oval:def:204871 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * postgresql: Certain host connection parameters defeat client-side security defenses For more details about the security issue ... oval:org.secpod.oval:def:204877 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: * nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello For more details about the security issue, including ... oval:org.secpod.oval:def:204876 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:204875 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:203530 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver ... oval:org.secpod.oval:def:204868 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: Remote code injection vulnerability to an IMAP mailbox * mutt: Remote Code Execu ... oval:org.secpod.oval:def:31252 The SELinux state should be set appropriately. oval:org.secpod.oval:def:31253 Logins through the Direct root Logins Not Allowed should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31250 The kernel runtime parameter "kernel.dmesg_restrict" should be set to "1". oval:org.secpod.oval:def:31251 The SELinux in /etc/grub.conf should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31247 The kernel runtime parameter "kernel.exec-shield" should be set to "1". oval:org.secpod.oval:def:203924 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: * It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a sp ... oval:org.secpod.oval:def:31241 All files should be owned by a user oval:org.secpod.oval:def:31242 All files should be owned by a group oval:org.secpod.oval:def:31243 Configure Periodic Execution of AIDE (/etc/crontab) should be configured appropriately. oval:org.secpod.oval:def:31227 The snmpd service should be disabled if possible. oval:org.secpod.oval:def:31229 Configure SNMP Service to Use Only SNMPv3 or Newer (/etc/snmp/snmpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31223 Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. oval:org.secpod.oval:def:31224 The squid service should be disabled if possible. oval:org.secpod.oval:def:31221 The Samba (SMB) service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31212 Directory permissions for /etc/httpd/conf/ should be set as appropriate. oval:org.secpod.oval:def:31213 The /etc/httpd/conf/* files should have the appropriate permissions. oval:org.secpod.oval:def:31290 Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options, which is used as temporary storage by many program, particularly system services such as daemons. It is not uncommon for the /var directory to contain world-writable directories, installed by ot ... oval:org.secpod.oval:def:31289 The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. oval:org.secpod.oval:def:204813 The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix: * procps-ng, procps: Integer overflows leading to heap overflow in file2strvec * procps-ng, procps: ... oval:org.secpod.oval:def:204819 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:204818 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:31286 All wireless interfaces should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31287 The bluetooth service should be disabled if possible. oval:org.secpod.oval:def:203955 The setroubleshoot packages provide tools to help diagnose SELinux problems. When Access Vector Cache messages are returned, an alert can be generated that provides information about the problem and helps to track its resolution. The setroubleshoot-plugins package provides a set of analysis plugins ... oval:org.secpod.oval:def:203959 OCaml is a high-level, strongly-typed, functional, and object-oriented programming language from the ML family of languages. The ocaml packages contain two batch compilers , an interactive top level system, parsing tools , a replay debugger, a documentation generator, and a comprehensive library. Se ... oval:org.secpod.oval:def:203958 The setroubleshoot packages provide tools to help diagnose SELinux problems. When Access Vector Cache messages are returned, an alert can be generated that provides information about the problem and helps to track its resolution. The setroubleshoot-plugins package provides a set of analysis plugins ... oval:org.secpod.oval:def:31274 The kernel runtime parameter "net.ipv4.conf.all.accept_source_route" should be set to "0". oval:org.secpod.oval:def:31270 Disable Zeroconf automatic route assignment in the 169.254.0.0 subnet. oval:org.secpod.oval:def:31267 The ability for users to perform interactive startups should be disabled. oval:org.secpod.oval:def:203941 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: * A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacke ... oval:org.secpod.oval:def:31269 The pcscd service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31266 Ctrl-Alt-Del Reboot Activation should be set as appropriate. oval:org.secpod.oval:def:31261 The environment variable PATH should be set correctly for the root user. oval:org.secpod.oval:def:31256 The PATH variable should be set correctly for user root oval:org.secpod.oval:def:31258 Configure the system to notify users of last logon/access using pam_lastlog. oval:org.secpod.oval:def:204174 Hive files are undocumented binary files that Windows uses to store the Windows Registry on disk. Hivex is a library that can read and write to these files. It was found that hivex attempted to read beyond its allocated buffer when reading a hive file with a very small size or with a truncated or im ... oval:org.secpod.oval:def:204161 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204160 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix: * It was found that util-linux"s libblkid library did not properly handle Ext ... oval:org.secpod.oval:def:204163 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204162 memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix: * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached bin ... oval:org.secpod.oval:def:204169 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204154 The libguestfs packages contain a library, which is used for accessing and modifying virtual machine disk images. Virt-p2v is a tool for conversion of a physical server to a virtual guest. The following packages have been upgraded to a newer upstream version: libguestfs , virt-p2v . Security Fix: ... oval:org.secpod.oval:def:204153 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a newer upstream version: postgresql . Security Fix: * A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authentic ... oval:org.secpod.oval:def:204152 The Pacemaker cluster resource manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. The following packages have been upgraded to a newer upstream version: pacemaker . Security Fix: * It was ... oval:org.secpod.oval:def:204151 The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. Security Fix: * A design flaw was found in the libgcrypt PRNG . An attacker able to obtain the first 580 bytes of the PRNG output could predict the following 20 bytes. Red Hat would like to thank Fel ... oval:org.secpod.oval:def:204157 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * It was discovered that the sudo noexec restricti ... oval:org.secpod.oval:def:204156 Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . Secu ... oval:org.secpod.oval:def:204159 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * It was discovered that the default sudo configur ... oval:org.secpod.oval:def:204144 The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix: * It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use thi ... oval:org.secpod.oval:def:31326 System Audit Logs Must Have Mode 0640 or Less Permissive (/var/log/audit/*) should be configured appropriately. oval:org.secpod.oval:def:31327 The file /etc/pam.d/system-auth should not contain the nullok option oval:org.secpod.oval:def:31320 System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume. oval:org.secpod.oval:def:31321 Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. oval:org.secpod.oval:def:31318 The Red Hat release and auxiliary key packages are required to be installed. oval:org.secpod.oval:def:31311 Ensure all yum repositories utilize signature checking. oval:org.secpod.oval:def:204194 OpenSSH is OpenBSD"s SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip th ... oval:org.secpod.oval:def:204193 The grep utility searches through textual input for lines that contain a match to a specified pattern and then prints the matching lines. The GNU grep utilities include grep, egrep, and fgrep. A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations ... oval:org.secpod.oval:def:31310 The abrtd service should be disabled if possible. oval:org.secpod.oval:def:31306 The yum-updatesd service should be disabled oval:org.secpod.oval:def:204199 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after heade ... oval:org.secpod.oval:def:31307 The '/boot/grub2/grub.cfg' file should be owned by appropriate User. oval:org.secpod.oval:def:31302 The grub boot loader should have password protection enabled. oval:org.secpod.oval:def:31303 Verify which group owns the /boot/grub2/grub.cfg file. oval:org.secpod.oval:def:204181 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled ... oval:org.secpod.oval:def:204180 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:204185 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:204184 Bundler manages an application"s dependencies through its entire life, across many machines, systematically and repeatably. Thor is a toolkit for building powerful command-line interfaces. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to on ... oval:org.secpod.oval:def:204189 The realmd DBus system service manages discovery of and enrollment in realms and domains, such as Active Directory or Identity Management . The realmd service detects available domains, automatically configures the system, and joins it as an account to a domain. A flaw was found in the way realmd pa ... oval:org.secpod.oval:def:204574 The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. S ... oval:org.secpod.oval:def:204573 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.4.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204561 Augeas is a configuration editing tool. It parses configuration files in their native formats and transforms them into a tree. Configuration changes are made by manipulating this tree and saving it back into native config files. Security Fix: * A vulnerability was discovered in augeas affecting the ... oval:org.secpod.oval:def:204564 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious cl ... oval:org.secpod.oval:def:204563 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:204567 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.4.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204557 GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language , and the capability to read e-mail and news. Security Fix: * A command injection flaw within the Emacs "enriched mode" handling has been discovered. By tric ... oval:org.secpod.oval:def:204556 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq"s refusal ... oval:org.secpod.oval:def:204544 Graphite2 is a project within SIL"s Non-Roman Script Initiative and Language Software Development groups to provide rendering capabilities for complex non-Roman writing systems. Graphite can be used to create smart fonts capable of displaying writing systems with various complex behaviors. With resp ... oval:org.secpod.oval:def:204131 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:204136 RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. Security Fix: * It was discovered that under certain conditions RESTEasy could be forced to pa ... oval:org.secpod.oval:def:204134 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attac ... oval:org.secpod.oval:def:204133 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204137 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * A heap-buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler to crash or, potentially, execute arbi ... oval:org.secpod.oval:def:204127 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204590 Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can ... oval:org.secpod.oval:def:204110 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A denial of service flaw was found in the way BIND handled query respons ... oval:org.secpod.oval:def:204591 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:204598 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:204113 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * A stack overflow vulnerability was ... oval:org.secpod.oval:def:204597 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204112 The Pacemaker cluster resource manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. Security Fix: * An authorization flaw was found in Pacemaker, where it did not properly guard its IPC inte ... oval:org.secpod.oval:def:204595 Libtasn1 is a library that provides Abstract Syntax Notation One parsing and structures management, and Distinguished Encoding Rules encoding and decoding functions. The following packages have been upgraded to a later upstream version: libtasn1 . Security Fix: * A heap-based buffer overflow flaw ... oval:org.secpod.oval:def:204117 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. The following packages have been upgraded to a newer upstream version: squid . Security Fix: * Incorrect boundary checks were found in the way squid handled headers in HTTP responses, wh ... oval:org.secpod.oval:def:204116 firewalld is a firewall service daemon that provides a dynamic customizable firewall with a D-Bus interface. The following packages have been upgraded to a newer upstream version: firewalld . Security Fix: * A flaw was found in the way firewalld allowed certain firewall configurations to be modifie ... oval:org.secpod.oval:def:204599 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204582 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:204580 The GNOME Display Manager provides the graphical login screen shown shortly after boot up, log out, and when user-switching. The following packages have been upgraded to a later upstream version: gdm , gnome-session . Security Fix: * It was found that gdm could crash due to a signal handler dispat ... oval:org.secpod.oval:def:204589 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:204588 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * A stack-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler to crash, or potentially execut ... oval:org.secpod.oval:def:203642 The wpa_supplicant package contains an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. It implements key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A ... oval:org.secpod.oval:def:203646 CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operation ... oval:org.secpod.oval:def:204535 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: * A flaw was found in the way "hg serve --stdio" command in Mercurial handled command-line options. A remote, authenticated attacker could use ... oval:org.secpod.oval:def:204534 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * An authentication bypass flaw was found in the way the EAP module in FreeRADIUS handled TLS ... oval:org.secpod.oval:def:204538 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * Quick Emulator built with Network Block Device Server support was vulnerable to ... oval:org.secpod.oval:def:204537 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A flaw was found in the way BIND handled TSIG authentication for dynamic ... oval:org.secpod.oval:def:204525 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * It was discovered that the sudo noexec restricti ... oval:org.secpod.oval:def:204522 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.2.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:203665 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND performed DNSSEC validation. An attacker able to make B ... oval:org.secpod.oval:def:204516 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.2.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204515 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * An out-of-bounds r/w access issue was found in QEMU"s Cirrus CLGD 54xx VGA Emulat ... oval:org.secpod.oval:def:204519 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * A flaw was found in the way memory ... oval:org.secpod.oval:def:204502 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. Security Fix: * A privilege escalation flaw was found in the way kdelibs handled D-Bus messages. A local user could potentially use this f ... oval:org.secpod.oval:def:203653 Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. This update also fixes the following bugs: * Previ ... oval:org.secpod.oval:def:204500 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * It was found that Samba always requested forwardable tickets when ... oval:org.secpod.oval:def:203658 PostgreSQL is an advanced object-relational database management system . A double-free flaw was found in the connection handling. An unauthenticated attacker could exploit this flaw to crash the PostgreSQL back end by disconnecting at approximately the same time as the authentication time out is tri ... oval:org.secpod.oval:def:31360 Only the root account should be assigned a user id of 0. oval:org.secpod.oval:def:31359 The /tmp directory is a world-writable directory used for temporary file storage. Verify that it has its own partition or logical volume. oval:org.secpod.oval:def:31353 The telnet service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31342 The password minclass should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31334 File permissions for '/boot/grub2/grub.cfg' should be set appropriate. oval:org.secpod.oval:def:31336 Verify that System Executables Have Restrictive Permissions (/bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin or /usr/local/sbin) should be configured appropriately. oval:org.secpod.oval:def:203605 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A buffer over-read flaw was found in the way the X.Org server handled XkbGetGeometry requests. A malicious, authorized client co ... oval:org.secpod.oval:def:204273 The pcs package provides a configuration tool for Corosync and Pacemaker. It permits users to easily view, modify and create Pacemaker based clusters. The pcs package includes Rack, which provides a minimal interface between webservers that support Ruby and Ruby frameworks. A flaw was found in a way ... oval:org.secpod.oval:def:204272 The binutils packages provide a set of binary utilities. Multiple buffer overflow flaws were found in the libbdf library used by various binutils utilities. If a user were tricked into processing a specially crafted file with an application using the libbdf library, it could cause the application to ... oval:org.secpod.oval:def:204261 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. This update als ... oval:org.secpod.oval:def:204693 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204697 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204212 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled trust anchor management. A remote attacker coul ... oval:org.secpod.oval:def:204211 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. The tigerv ... oval:org.secpod.oval:def:204217 The xfsprogs packages contain a set of commands to use the XFS file system, including the mkfs.xfs command to construct an XFS system. It was discovered that the xfs_metadump tool of the xfsprogs suite did not fully adhere to the standards of obfuscation described in its man page. In case a user wit ... oval:org.secpod.oval:def:204698 The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix: * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HT ... oval:org.secpod.oval:def:204680 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * The ... oval:org.secpod.oval:def:204685 OpenLDAP is an open-source suite of Lightweight Directory Access Protocol applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap packages contain configuration files, libraries, and docum ... oval:org.secpod.oval:def:203353 CentOS 7 is installed oval:org.secpod.oval:def:204200 GNOME Shell and the packages it depends upon provide the core user interface of the Red Hat Enterprise Linux desktop, including functions such as navigating between windows and launching applications. It was found that the GNOME shell did not disable the Print Screen key when the screen was locked. ... oval:org.secpod.oval:def:203352 LZO is a portable lossless data compression library written in ANSI C. An integer overflow flaw was found in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an applic ... oval:org.secpod.oval:def:204687 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:204207 GNOME Shell and the packages it depends upon provide the core user interface of the Red Hat Enterprise Linux desktop, including functions such as navigating between windows and launching applications. It was found that the GNOME shell did not disable the Print Screen key when the screen was locked. ... oval:org.secpod.oval:def:204670 The GNOME Display Manager provides the graphical login screen shown shortly after boot up, log out, and when user-switching. The following packages have been upgraded to a later upstream version: gdm , gnome-session . Security Fix: * It was found that gdm could crash due to a signal handler dispat ... oval:org.secpod.oval:def:204676 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * A stack overflow vulnerability was ... oval:org.secpod.oval:def:204660 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * It was found that some selectivity estimation functions did not check user privileges before providing information from pg_sta ... oval:org.secpod.oval:def:204664 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang . Security Fix: * A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could possibly use this flaw ... oval:org.secpod.oval:def:204663 XML Security Library is a C library based on LibXML2 and OpenSSL. The library was created with a goal to support major XML security standards "XML Digital Signature" and "XML Encryption". Security Fix: * It was discovered xmlsec1"s use of libxml2 inadvertently enabled external en ... oval:org.secpod.oval:def:204667 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204666 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The following packages have been upgraded to a later upstream version: pidgin . Security Fix: * A denial of service flaw was found in the way Pidgin"s Mxit plug-in han ... oval:org.secpod.oval:def:204251 The grub2 packages provide version 2 of the Grand Unified Bootloader , a highly configurable and customizable bootloader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. It was discovered that grub2 builds for EF ... oval:org.secpod.oval:def:204256 GNOME Shell and the packages it depends upon provide the core user interface of the Red Hat Enterprise Linux desktop, including functions such as navigating between windows and launching applications. It was found that the GNOME shell did not disable the Print Screen key when the screen was locked. ... oval:org.secpod.oval:def:203393 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag lib ... oval:org.secpod.oval:def:204240 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. It was found that Squid configured with client-first SSL-bump did not correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spo ... oval:org.secpod.oval:def:204230 Bundler manages an application"s dependencies through its entire life, across many machines, systematically and repeatably. Thor is a toolkit for building powerful command-line interfaces. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to on ... oval:org.secpod.oval:def:203386 RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were n ... oval:org.secpod.oval:def:203385 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in Samba"s NetBIOS message block daemon . An attacker on the ... oval:org.secpod.oval:def:204236 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker ab ... oval:org.secpod.oval:def:204221 The cpio packages provide the GNU cpio utility for creating and extracting archives, or copying files from one place to another. A heap-based buffer overflow flaw was found in cpio"s list_file function. An attacker could provide a specially crafted archive that, when processed by cpio, would crash c ... oval:org.secpod.oval:def:204225 GNOME Shell and the packages it depends upon provide the core user interface of the Red Hat Enterprise Linux desktop, including functions such as navigating between windows and launching applications. It was found that the GNOME shell did not disable the Print Screen key when the screen was locked. ... oval:org.secpod.oval:def:204229 The netcf packages contain a library for modifying the network configuration of a system. Network configuration is expressed in a platform-independent XML format, which netcf translates into changes to the system"s "native" network configuration files. A denial of service flaw was found in ... oval:org.secpod.oval:def:31091 The rexec service should be disabled if possible. oval:org.secpod.oval:def:31092 It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. The noexec mount option prevents binaries from being executed out of /dev/shm. oval:org.secpod.oval:def:31093 The rsh service should be disabled if possible. oval:org.secpod.oval:def:31098 The tftp service should be disabled if possible. oval:org.secpod.oval:def:31094 The rlogin service should be disabled if possible. oval:org.secpod.oval:def:31095 The '.rhosts' or 'hosts.equiv' files should exists or doesn't exists on the system. oval:org.secpod.oval:def:31097 The ypbind service should be disabled if possible. oval:org.secpod.oval:def:204614 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:204618 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:31080 Audit rules should be configured to log successful and unsuccessful logon and logout events. oval:org.secpod.oval:def:31081 Legitimate character and block devices should not exist within temporary directories like /dev/shm. The nodev mount option should be specified for /dev/shm. oval:org.secpod.oval:def:31088 The xinetd service should be disabled if possible. oval:org.secpod.oval:def:31084 Audit rules about the Information on the Use of Privileged Commands are enabled oval:org.secpod.oval:def:204602 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: * A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of com ... oval:org.secpod.oval:def:204606 The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File format files. Security Fix: * It was found that evince did not properly sanitize the command l ... oval:org.secpod.oval:def:204604 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:204607 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:31070 The nosuid mount option should be set for temporary storage partitions such as /tmp. The suid/sgid permissions should not be required in these world-writable directories. oval:org.secpod.oval:def:203743 libwmf is a library for reading and converting Windows Metafile Format vector graphics. libwmf is used by applications such as GIMP and ImageMagick. It was discovered that libwmf did not correctly process certain WMF with embedded BMP images. By tricking a victim into opening a specially crafted W ... oval:org.secpod.oval:def:31060 Record attempts to alter time through stime, note that this is only relevant on 32bit architecture. oval:org.secpod.oval:def:31064 System Audit Logs Must Be Owned By Root (/var/log/*) should be configured appropriately. oval:org.secpod.oval:def:31059 It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /tmp. The noexec mount option prevents binaries from being executed out of /tmp. oval:org.secpod.oval:def:204653 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients which allow ... oval:org.secpod.oval:def:204657 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * Quick Emulator built with the Network Block Device Server support is vulnerable ... oval:org.secpod.oval:def:204656 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attribute ... oval:org.secpod.oval:def:204641 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.3.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204645 The libsoup packages provide an HTTP client and server library for GNOME. Security Fix: * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially ... oval:org.secpod.oval:def:204644 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:204649 The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts , and pcmcia configuration files. Security Fix: * An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery ... oval:org.secpod.oval:def:204647 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:204631 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:204630 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescap ... oval:org.secpod.oval:def:204633 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:203785 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204639 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * A NULL pointer dereference flaw was found in ghostscript"s mem_get_bits_rectangle functio ... oval:org.secpod.oval:def:204638 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients which allow ... oval:org.secpod.oval:def:204636 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 , gnome-video-effects , gstreamer1 , gstreamer1-plugins-bad-free , gstreamer1-plugins-base , gstreamer1-plugins-good , ... oval:org.secpod.oval:def:204624 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix: * A shell command injection flaw related to the handling of "svn+ssh" U ... oval:org.secpod.oval:def:204625 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.3.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:203722 The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format fonts. A malicious, local user could use this flaw to crash the ... oval:org.secpod.oval:def:31047 The auditd service should be enabled if possible. oval:org.secpod.oval:def:31048 Legitimate character and block devices should not exist within temporary directories like /tmp. The nodev mount option should be specified for /tmp. oval:org.secpod.oval:def:31049 Look for argument audit=1 in the kernel line in /etc/grub.conf. oval:org.secpod.oval:def:203728 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion reposi ... oval:org.secpod.oval:def:31044 Test if HostLimit line in logwatch.conf is set appropriately. On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it is runni ... oval:org.secpod.oval:def:31045 Check if SplitHosts line in logwatch.conf is set appropriately. oval:org.secpod.oval:def:31046 Disable Logwatch on Clients if a Logserver Exists (/etc/cron.daily/0logwatch) should be configured appropriately. oval:org.secpod.oval:def:31036 All syslog log files should be owned by the appropriate group. oval:org.secpod.oval:def:31037 The nosuid mount option prevents set-user-identifier (suid) and set-group-identifier (sgid) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce suid and g ... oval:org.secpod.oval:def:31038 File permissions for all syslog log files should be set correctly. oval:org.secpod.oval:def:203712 jakarta-taglibs-standard is the Java Standard Tag Library . This library is used in conjunction with Tomcat and Java Server Pages . It was found that the Java Standard Tag Library allowed the processing of untrusted XML documents to utilize external entity references, which could access resources o ... oval:org.secpod.oval:def:31035 The rsyslog service should be enabled if possible. oval:org.secpod.oval:def:31025 The ip6tables service should be enabled if possible. oval:org.secpod.oval:def:31027 The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The noexec option prevents code from being executed directly from the media itself, ... oval:org.secpod.oval:def:31028 The iptables service should be enabled if possible. oval:org.secpod.oval:def:203701 The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol , including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which us ... oval:org.secpod.oval:def:31022 Manually configure addresses for IPv6 oval:org.secpod.oval:def:31023 Enable privacy extensions for IPv6 oval:org.secpod.oval:def:31024 Define default gateways for IPv6 traffic oval:org.secpod.oval:def:31019 The RPC IPv6 Support should be configured appropriately based rpc services. oval:org.secpod.oval:def:31016 If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. oval:org.secpod.oval:def:31017 The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devic ... oval:org.secpod.oval:def:205172 Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more. Security Fix: * cockpit: Crash when parsing invalid base64 headers For more details a ... oval:org.secpod.oval:def:204867 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: Client programs unspecified vulnerability * mysql: Server: DML unspecified vulnerability * my ... oval:org.secpod.oval:def:204785 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: * openssh: Improper write operations in readonly mode allow for zero-length file creation For mor ... oval:org.secpod.oval:def:204126 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: * It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running t ... oval:org.secpod.oval:def:204851 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:204592 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * It was discovered that the mysql and mysqldump tools did not correctly handle database and table names c ... oval:org.secpod.oval:def:204828 The corosync packages provide the Corosync Cluster Engine and C APIs for Red Hat Enterprise Linux cluster software. Security Fix: * corosync: Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3 function For more details about the security issue, including the impact, a CVSS score, and other ... oval:org.secpod.oval:def:203659 Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application t ... oval:org.secpod.oval:def:203643 ABRT is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. It was found that ABRT was vulnerable to multiple race condition and symbolic link flaws. A loca ... oval:org.secpod.oval:def:203520 The mailx packages contain a mail user agent that is used to manage mail using scripts. A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-cha ... oval:org.secpod.oval:def:204249 The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol , specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 ... oval:org.secpod.oval:def:205375 Java Security Services provides an interface between Java Virtual Machine and Network Security Services . It supports most of the security standards and encryption technologies supported by NSS including communication through SSL/TLS network protocols. JSS is primarily utilized by the Certificate S ... oval:org.secpod.oval:def:205124 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: incomplete fix for CVE-2018-16509 For more details about the security issue ... oval:org.secpod.oval:def:204879 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: race condition on reference counter leads to DoS using persistent search * 389- ... oval:org.secpod.oval:def:204861 The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix: * yum-utils: reposync: improper path validation may lead to directory traversal For more details about the security issue, including the impac ... oval:org.secpod.oval:def:204468 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix: * Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in OpenJPEG. A specially crafted JPEG2000 image could cause an application using OpenJPEG to crash or, potent ... oval:org.secpod.oval:def:204722 PostgreSQL is an advanced object-relational database management system . Security Fix: * Privilege escalation flaws were found in the initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. Note: T ... oval:org.secpod.oval:def:204786 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:204560 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * It was found that samba did not enforce "SMB signing" wh ... oval:org.secpod.oval:def:204799 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204784 The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix: * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:204759 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: remote Denial of Service via search filters in SetUnicodeStringFromUTF_8 in col ... oval:org.secpod.oval:def:204796 xdg-user-dirs is a tool to create and configure default desktop user directories such as the Music and the Desktop directories. Security Fix: * xdg-user-dirs, gnome-session: Xsession creation of XDG user directories does not honor system umask policy For more details about the security issue, inclu ... oval:org.secpod.oval:def:203839 The sos package contains a set of utilities that gather information from system hardware, logs, and configuration files. The information can then be used for diagnostic purposes and debugging. An insecure temporary file use flaw was found in the way sos created certain sosreport files. A local attac ... oval:org.secpod.oval:def:204188 OpenHPI is an open source project created with the intent of providing an implementation of the SA Forum"s Hardware Platform Interface . HPI provides an abstracted interface to managing computer hardware, typically for chassis and rack based servers. HPI includes resource modeling, access to and con ... oval:org.secpod.oval:def:205732 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 oval:org.secpod.oval:def:204266 The rest library was designed to make it easier to access web services that claim to be RESTful. A RESTful service should have URLs that represent remote objects, which methods can then be called on. It was found that the OAuth implementation in librest, a helper library for RESTful services, incorr ... oval:org.secpod.oval:def:204648 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * A flaw was found in the way 389-ds-base handled authentication attempts against locked accoun ... oval:org.secpod.oval:def:204115 The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on . Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers. Security Fix: * A vulnerability was ... oval:org.secpod.oval:def:204686 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:204138 The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer and Transport Layer Security protocols, using the Network Security Services security library. The following packages have been upgraded to a newer upstream version: mod_nss . Security Fix: * A ... oval:org.secpod.oval:def:204510 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: * A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a se ... oval:org.secpod.oval:def:204605 The authconfig packages contain a command-line utility and a GUI application that can configure a workstation to be a client for certain network user information, authentication schemes, and other user information and authentication-related options. Security Fix: * A flaw was found where authconfig ... oval:org.secpod.oval:def:204142 The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. The following packages have been upgraded to a newer upstream version: pcs . Security Fix: * A Cross-Site Request Forgery flaw was found in the pcsd web UI. A remote attacker could provide a spec ... oval:org.secpod.oval:def:204145 The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform. The subscription-manager-migration-data package provides certificates for migrating a system from the legacy Red Hat Network Classic to ... oval:org.secpod.oval:def:204114 The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform. The subscription-manager-migration-data package provides certificates for migrating a system from the legacy Red Hat Network Classic to ... oval:org.secpod.oval:def:204675 The gtk-vnc packages provide a VNC viewer widget for GTK. The gtk-vnc widget is built by using co-routines, which allows the widget to be completely asynchronous while remaining single-threaded. The following packages have been upgraded to a later upstream version: gtk-vnc . Security Fix: * It was ... oval:org.secpod.oval:def:38254 The host is installed with kernel on Centos 7 and is prone to an use-after-free vulnerability. A flaw is present in the application, which fails to properly handle a race condition in packet_set_ring leads. Successful exploitation could allow attackers to elevate their privileges on the system. oval:org.secpod.oval:def:203995 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix: * An insufficient permission check issue was found in the way IPA server treats certificate revocation requests. A ... oval:org.secpod.oval:def:204150 Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications. Security Fix: * It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary f ... oval:org.secpod.oval:def:203987 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to ... oval:org.secpod.oval:def:204129 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a newer upstream version: libvir ... oval:org.secpod.oval:def:204155 The GIMP is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. The following packages have been upgraded to a newer upstream ve ... oval:org.secpod.oval:def:204148 The GIMP is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. The following packages have been upgraded to a newer upstream ve ... oval:org.secpod.oval:def:204149 The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix: * It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file wi ... oval:org.secpod.oval:def:203937 Libndp is a library that provides a wrapper for the IPv6 Neighbor Discovery Protocol. It also provides a tool named ndptool for sending and receiving NDP messages. Security Fix: * It was found that libndp did not properly validate and check the origin of Neighbor Discovery Protocol messages. An at ... oval:org.secpod.oval:def:203946 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:203741 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:203928 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix: * It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a s ... oval:org.secpod.oval:def:204166 Kernel-based Virtual Machine is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix: * An integer overflow flaw and an out-of-bounds read flaw were found in the way QEMU"s ... oval:org.secpod.oval:def:204081 Kernel-based Virtual Machine is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix: * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP check ... oval:org.secpod.oval:def:203834 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds read/write flaw was discovered in the way QEMU"s Firmware Configuration device emulation processed certain f ... oval:org.secpod.oval:def:203841 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A stack-based buffer overflow was found in the way ... oval:org.secpod.oval:def:204172 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204165 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204135 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204139 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204125 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:203754 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. It was found that the QEMU"s websocket frame decoder processed incoming frames without limiting resources used to process the ... oval:org.secpod.oval:def:204218 The wireshark packages contain a network protocol analyzer used to capture and browse the traffic running on a computer network. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump f ... oval:org.secpod.oval:def:204232 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that the nss_files backend for ... oval:org.secpod.oval:def:204186 ABRT is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targ ... oval:org.secpod.oval:def:204213 ABRT is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targ ... oval:org.secpod.oval:def:203767 Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . A fl ... oval:org.secpod.oval:def:204252 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It was found that SSSD"s Privilege Attribute Certificate responder plug-in would leak a small amount of memory on each authentication request. A remote attack ... oval:org.secpod.oval:def:204208 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that, under certain circumstanc ... oval:org.secpod.oval:def:203725 The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. A command injection flaw was found in the pcsd web UI. An attacker able to trick a victim that was logged in to the pcsd web UI into visiting a specially crafted URL could use this flaw to execute ... oval:org.secpod.oval:def:203713 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:203699 Pluggable Authentication Modules provide a system whereby administrators can set up authentication policies without having to recompile programs to handle authentication. It was discovered that the _unix_run_helper_binary function of PAM"s unix_pam module could write to a blocking pipe, possibly ca ... oval:org.secpod.oval:def:203730 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU"s RTL8139 emulation implementation processed network packets under RTL8139 ... oval:org.secpod.oval:def:203680 The libuser library implements a standardized interface for manipulating and administering user and group accounts. Sample applications that are modeled after applications from the shadow password suite are included in these packages. Two flaws were found in the way the libuser library handled the ... oval:org.secpod.oval:def:203678 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A heap buffer overflow flaw was found in the way QEMU"s IDE subsystem handled I/O buffer access while processing certain ATAP ... oval:org.secpod.oval:def:203677 Clutter is a library for creating fast, visually rich, graphical user interfaces. Clutter is used for rendering the GNOME desktop environment. A flaw was found in the way clutter processed certain mouse and touch gestures. An attacker could use this flaw to bypass the screen lock. All clutter users ... oval:org.secpod.oval:def:204214 The Pacemaker Resource Manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A ... oval:org.secpod.oval:def:204254 The cups-filters packages contain back ends, filters, and other software that was once part of the core Common UNIX Printing System distribution but is now maintained independently. A heap-based buffer overflow flaw and an integer overflow flaw leading to a heap-based buffer overflow were discovere ... oval:org.secpod.oval:def:203651 Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . A fl ... oval:org.secpod.oval:def:203726 HAProxy provides high availability, load balancing, and proxying for TCP and HTTP-based applications. An implementation error related to the memory management of request and responses was found within HAProxy"s buffer_slow_realign function. An unauthenticated remote attacker could possibly use this ... oval:org.secpod.oval:def:203588 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web ... oval:org.secpod.oval:def:203587 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web ... oval:org.secpod.oval:def:204264 The autofs utility controls the operation of the automount daemon. The daemon automatically mounts file systems when in use and unmounts them when they are not busy. It was found that program-based automounter maps that used interpreted languages such as Python used standard environment variables to ... oval:org.secpod.oval:def:204228 The libssh2 packages provide a library that implements the SSH2 protocol. A flaw was found in the way the kex_agree_methods function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting l ... oval:org.secpod.oval:def:204244 The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog t ... oval:org.secpod.oval:def:204210 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. It was found that QEMU"s qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions did not correctly perform a domain unlock on a failed ACL check. A remote at ... oval:org.secpod.oval:def:204223 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outsi ... oval:org.secpod.oval:def:204197 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204219 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204202 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204204 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204203 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204209 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204245 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204239 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204222 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:203450 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt"s qemuDomainGetBlockIoTune ... oval:org.secpod.oval:def:203392 The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. It was found that when replication was enabled for each attribute in 389 Directory Server, which is the default co ... oval:org.secpod.oval:def:203379 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML document ... oval:org.secpod.oval:def:204227 The virt-who package provides an agent that collects information about virtual guests present in the system and reports them to the subscription manager. It was discovered that the /etc/sysconfig/virt-who configuration file, which may contain hypervisor authentication credentials, was world-readable ... oval:org.secpod.oval:def:203771 PostgreSQL is an advanced object-relational database management system . A memory leak error was discovered in the crypt function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. A stack overflow flaw was discovered ... oval:org.secpod.oval:def:203369 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU ... oval:org.secpod.oval:def:204704 Liblouis is an open source braille translator and back-translator named in honor of Louis Braille. It features support for computer and literary braille, supports contracted and uncontracted translation for many languages and has support for hyphenation. New languages can easily be added through tab ... oval:org.secpod.oval:def:86971 The host is installed with Control/CentOS Web Panel 7 before 0.9.8.1147 and is prone to an OS command injection vulnerability. A flaw is present in the application, which fails to handle an issue in login/index.php file. Successful exploitation allows remote attackers to execute arbitrary OS command ... oval:org.secpod.oval:def:205262 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. The kde-workspace packages consist of components providing the KDE graphical desktop environment. Security Fix: * kde-workspace: Missing s ... oval:org.secpod.oval:def:205284 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. The kde-workspace packages consist of components providing the KDE graphical desktop environment. Security Fix: * kde-workspace: Missing s ... oval:org.secpod.oval:def:205282 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. The kde-workspace packages consist of components providing the KDE graphical desktop environment. Security Fix: * kde-workspace: Missing s ... oval:org.secpod.oval:def:205277 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. The kde-workspace packages consist of components providing the KDE graphical desktop environment. Security Fix: * kde-workspace: Missing s ... oval:org.secpod.oval:def:205338 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. The kde-workspace packages consist of components providing the KDE graphical desktop environment. Security Fix: * kde-workspace: Missing s ... oval:org.secpod.oval:def:205543 Okular is a universal document viewer developed by KDE supporting different kinds of documents, like PDF, Postscript, DjVu, CHM, XPS, ePub and others. Security Fix: * okular: Directory traversal in function unpackDocumentArchive in core/document.cpp For more details about the security issue, includ ... oval:org.secpod.oval:def:204248 OpenLDAP is an open-source suite of Lightweight Directory Access Protocol applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap packages contain configuration files, libraries, and docum ... oval:org.secpod.oval:def:205511 The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - ... oval:org.secpod.oval:def:205203 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * freeradius: eap-pwd: authentication bypass via an invalid curve attack * freeradius: eap-pw ... oval:org.secpod.oval:def:205197 Openwsman is a project intended to provide an open source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:205254 The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures. The following packages have been upgraded to a later upstream versi ... oval:org.secpod.oval:def:205296 The keycloak-httpd-client-install packages provide various libraries and tools that can automate and simplify the configuration of Apache httpd authentication modules when registering as a Red Hat Single Sign-On federated Identity Provider client. The following packages have been upgraded to a lat ... oval:org.secpod.oval:def:205285 The unzip utility is used to list, test, and extract files from zip archives. Security Fix: * unzip: Buffer overflow in list.c resulting in a denial of service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:205350 The unixODBC packages contain a framework that supports accessing databases through the ODBC protocol. Security Fix: * unixODBC: Buffer overflow in unicode_to_ansi_copy can lead to crash or other unspecified impact * unixODBC: Insecure buffer copy in SQLWriteFileDSN function in odbcinst/SQLWriteFil ... oval:org.secpod.oval:def:205307 The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine-grained control over output format. Security Fix: * rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is ena ... oval:org.secpod.oval:def:205336 The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix: * fence-agents: mis-handling of non-ASCII characters in guest comment fields ... oval:org.secpod.oval:def:205319 The Udisks project provides a daemon, tools, and libraries to access and manipulate disks, storage devices, and technologies. Security Fix: * udisks: Format string vulnerability in udisks_log in udiskslogging.c For more details about the security issue, including the impact, a CVSS score, acknowled ... oval:org.secpod.oval:def:205508 TagLib is a library for reading and editing the meta-data of different audio formats. Security Fix: * taglib: heap-based buffer over-read via a crafted audio file For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:205650 Performance Co-Pilot is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems. Security Fix: * pcp: Local pri ... oval:org.secpod.oval:def:205493 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205494 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205496 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205482 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205485 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was orig ... oval:org.secpod.oval:def:205480 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205487 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205479 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205478 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205890 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205540 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205545 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205546 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was orig ... oval:org.secpod.oval:def:205541 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205542 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205531 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205533 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205538 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205520 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205528 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205517 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was orig ... oval:org.secpod.oval:def:205501 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205503 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205500 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was orig ... oval:org.secpod.oval:def:205505 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * gnome-shell: partial lock screen bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References ... oval:org.secpod.oval:def:205627 The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts. The following packages have been upgraded to a later upstream version: cloud-init . ... oval:org.secpod.oval:def:205174 The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts. Security Fix: * cloud-init: extra ssh keys added to authorized_keys on the Azure pla ... oval:org.secpod.oval:def:205991 Security Fix: hsqldb: Untrusted input may lead to RCE attack For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:204816 Librelp is an easy-to-use library for the Reliable Event Logging Protocol protocol. RELP is a general-purpose, extensible logging protocol. Security Fix: * librelp: Stack-based buffer overflow in relpTcpChkPeerName function in src/tcp.c For more details about the security issue, including the impa ... oval:org.secpod.oval:def:204740 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A use-after-free flaw leading to denial of service was found in the way ... oval:org.secpod.oval:def:203883 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:204201 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Two cross-site scripting flaws were found in jQuery, which impacted the Identity Management web administrative interface, and c ... oval:org.secpod.oval:def:31315 The /etc/group file should be owned by the appropriate user. oval:org.secpod.oval:def:31226 The kernel module hfsplus should be disabled. oval:org.secpod.oval:def:31178 Ensure Insecure File Locking is Not Allowed (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:31190 The RPM package httpd should be removed. oval:org.secpod.oval:def:31275 The kernel runtime parameter "net.ipv4.conf.all.accept_redirects" should be set to "0". oval:org.secpod.oval:def:31061 Record attempts to alter time through clock_settime. oval:org.secpod.oval:def:31034 The RPM package rsyslog should be installed. oval:org.secpod.oval:def:31217 SSL capabilities should be enabled for the mail server. oval:org.secpod.oval:def:31153 A remote NTP Server for time synchronization should be specified (and dependencies are met) oval:org.secpod.oval:def:31099 The RPM package tftp-server should be removed. oval:org.secpod.oval:def:31055 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account oval:org.secpod.oval:def:31300 The /etc/shadow file should be owned by the appropriate user. oval:org.secpod.oval:def:31335 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) oval:org.secpod.oval:def:31220 Plaintext authentication of mail clients should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31031 The kernel module rds should be disabled. oval:org.secpod.oval:def:31317 File permissions for '/etc/group' should be set correctly. oval:org.secpod.oval:def:31069 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31057 Record attempts to alter time through adjtimex. oval:org.secpod.oval:def:31237 The squashfs Kernel Module should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31294 The password minclass should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31304 The kernel module dccp should be disabled. oval:org.secpod.oval:def:31284 The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1". oval:org.secpod.oval:def:31297 Verify that Shared Library Files Have Root Ownership (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:31282 The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1". oval:org.secpod.oval:def:31272 The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0". oval:org.secpod.oval:def:31054 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:31305 The /etc/gshadow file should be owned by the appropriate group. oval:org.secpod.oval:def:31066 Record Events that Modify the System's Discretionary Access Controls - chmod. The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31186 The kernel module cramfs should be disabled. oval:org.secpod.oval:def:31215 The RPM package dovecot should be removed. oval:org.secpod.oval:def:31225 The RPM package squid should be removed. oval:org.secpod.oval:def:31077 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31187 Restrict Access to Anonymous Users should be configured appropriately. oval:org.secpod.oval:def:31308 Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met). oval:org.secpod.oval:def:31132 Limit Users SSH Access should be configured appropriately. oval:org.secpod.oval:def:31301 The SELinux state should be enforcing the local policy. oval:org.secpod.oval:def:31184 Logging of vsftpd transactions should be enabled or disabled as appropriate oval:org.secpod.oval:def:31262 The default umask for users of the bash shell oval:org.secpod.oval:def:31314 The passwords to remember should be set correctly. oval:org.secpod.oval:def:31188 File uploads via vsftpd should be enabled or disabled as appropriate oval:org.secpod.oval:def:31313 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:31259 Set Password to Maximum of Three Consecutive Repeating Characters should be configured appropriately. oval:org.secpod.oval:def:31364 SSH warning banner should be enabled (and dependencies are met). oval:org.secpod.oval:def:31358 The requirement for a password to boot into single-user mode should be configured correctly. oval:org.secpod.oval:def:31329 The /etc/group file should be owned by the appropriate group. oval:org.secpod.oval:def:31026 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:31346 The '/etc/shadow' file should be owned by the appropriate group. oval:org.secpod.oval:def:31051 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:31234 The RPM package rsh should be installed. oval:org.secpod.oval:def:31249 Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package sho ... oval:org.secpod.oval:def:31344 The password minimum length should be set appropriately. oval:org.secpod.oval:def:31328 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:org.secpod.oval:def:31322 PermitUserEnvironment should be disabled oval:org.secpod.oval:def:31157 Postfix network listening should be disabled oval:org.secpod.oval:def:31042 The rsyslog to Accept Messages via UDP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31074 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31128 The anacron service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31355 This test makes sure that '/etc/gshadow' is setted appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:31246 The kernel runtime parameter "fs.suid_dumpable" should be set to "0". oval:org.secpod.oval:def:31062 Record attempts to alter time through /etc/localtime oval:org.secpod.oval:def:31158 Protect against unnecessary release of information. oval:org.secpod.oval:def:31207 The kernel module jffs2 should be disabled. oval:org.secpod.oval:def:31222 Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. oval:org.secpod.oval:def:31323 The password ucredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31268 The RPM package screen should be installed. oval:org.secpod.oval:def:31085 Audit rules that detect the mounting of filesystems should be enabled. oval:org.secpod.oval:def:31216 The kernel module hfs should be disabled. oval:org.secpod.oval:def:31029 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:31362 Audit files deletion events. oval:org.secpod.oval:def:31340 The kernel module sctp should be disabled. oval:org.secpod.oval:def:31056 Configure auditd to use audispd plugin (/etc/audisp/plugins.d/syslog.conf) should be configured appropriately. oval:org.secpod.oval:def:31338 This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:31218 Dovecot plaintext authentication of clients should be enabled or disabled as necessary oval:org.secpod.oval:def:31324 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. oval:org.secpod.oval:def:31067 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31260 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:31196 The kernel module freevxfs should be disabled. oval:org.secpod.oval:def:31361 Audit rules should detect modification to system files that hold information about users and groups. oval:org.secpod.oval:def:31139 Disable Avahi Publishing (/etc/avahi/avahi-daemon.conf) should be configured appropriately. oval:org.secpod.oval:def:31255 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:31021 The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:31343 File permissions for /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin and /usr/local/sbin should be set correctly. oval:org.secpod.oval:def:31020 The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0". oval:org.secpod.oval:def:31316 Root login via SSH should be disabled (and dependencies are met) oval:org.secpod.oval:def:31160 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:31298 The RPM package aide should be installed. oval:org.secpod.oval:def:31357 The RPM package telnet-server should be removed. oval:org.secpod.oval:def:31076 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31040 rsyslogd should reject remote messages oval:org.secpod.oval:def:31063 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. oval:org.secpod.oval:def:31125 Disable Prelinking (/etc/sysconfig/prelink) should be configured appropriately. oval:org.secpod.oval:def:31350 The /etc/passwd file should be owned by the appropriate user. oval:org.secpod.oval:def:31240 The kernel module udf should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31078 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31075 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31257 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. oval:org.secpod.oval:def:31018 Global IPv6 initialization should be disabled. oval:org.secpod.oval:def:31228 The RPM package net-snmp should be removed. oval:org.secpod.oval:def:31079 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31065 Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. oval:org.secpod.oval:def:31348 The password retry should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31363 The system login banner text should be set correctly. oval:org.secpod.oval:def:31185 A warning banner for all FTP users should be enabled or disabled as appropriate oval:org.secpod.oval:def:31032 The kernel module tipc should be disabled. oval:org.secpod.oval:def:31319 Verify that Shared Library Files Have Restrictive Permissions (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:31214 The dovecot service should be disabled if possible. oval:org.secpod.oval:def:31245 Core dumps for all users should be disabled oval:org.secpod.oval:def:31033 The RPM package libreswan should be installed. oval:org.secpod.oval:def:31244 The daemon umask should be set as appropriate oval:org.secpod.oval:def:31280 The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0". oval:org.secpod.oval:def:31235 The RPM package ypbind should be installed. oval:org.secpod.oval:def:31248 The kernel runtime parameter "kernel.randomize_va_space" should be set to "2". oval:org.secpod.oval:def:74446 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback net ... oval:org.secpod.oval:def:31073 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31345 The password hashing algorithm should be set correctly in /etc/login.defs. oval:org.secpod.oval:def:31312 This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:31238 The RPM package talk-server should be installed. oval:org.secpod.oval:def:31050 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:31232 The RPM package setroubleshoot should be installed. oval:org.secpod.oval:def:31072 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31263 The default umask for users of the csh shell oval:org.secpod.oval:def:31239 The RPM package talk should be installed. oval:org.secpod.oval:def:31273 The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0". oval:org.secpod.oval:def:31058 Record attempts to alter time through settimeofday. oval:org.secpod.oval:def:31082 Audit rules should capture information about session initiation. oval:org.secpod.oval:def:31352 The password ocredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31068 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31233 The RPM package mcstrans should be installed. oval:org.secpod.oval:def:31356 The password dcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31285 The kernel runtime parameter "net.ipv4.conf.default.rp_filter" should be set to "1". oval:org.secpod.oval:def:31154 Specify Additional Remote NTP Servers (/etc/ntp.conf) should be configured appropriately. oval:org.secpod.oval:def:31281 The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1". oval:org.secpod.oval:def:31219 Configure Dovecot to Use the SSL Key file should be configured appropriately. oval:org.secpod.oval:def:31283 The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1". oval:org.secpod.oval:def:31182 The RPM package vsftpd should be removed. oval:org.secpod.oval:def:31341 The password lcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31150 Logging (/etc/rsyslog.conf) should be configured appropriately. oval:org.secpod.oval:def:31339 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. oval:org.secpod.oval:def:31332 Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. oval:org.secpod.oval:def:31053 space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:31265 The default umask for all users specified in /etc/login.defs oval:org.secpod.oval:def:31349 The SELinux policy should be set appropriately. oval:org.secpod.oval:def:31333 The password hashing algorithm should be set correctly in /etc/libuser.conf. oval:org.secpod.oval:def:31278 The Kernel Parameter for Accepting Source-Routed Packets By Default and all interfaces should be enabled or disabled as appropriate oval:org.secpod.oval:def:31271 The kernel runtime parameter "net.ipv4.conf.default.send_redirects" should be set to "0". oval:org.secpod.oval:def:31030 IP forwarding should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31071 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:31330 Only SSH protocol version 2 connections should be permitted. oval:org.secpod.oval:def:31131 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). oval:org.secpod.oval:def:31288 The kernel module bluetooth should be disabled. oval:org.secpod.oval:def:31279 The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:31180 The RPM package bind should be removed. oval:org.secpod.oval:def:31309 SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. oval:org.secpod.oval:def:31277 The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1". oval:org.secpod.oval:def:31156 The RPM package sendmail should be removed. oval:org.secpod.oval:def:31210 The mod_security package installation should be configured appropriately. oval:org.secpod.oval:def:31041 The 'rsyslog' to Accept Messages via TCP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:31089 The RPM package xinetd should be removed. oval:org.secpod.oval:def:31145 The RPM package dhcp should be removed. oval:org.secpod.oval:def:31087 Force a reboot to change audit rules is enabled oval:org.secpod.oval:def:31126 The kernel module usb-storage should be disabled. oval:org.secpod.oval:def:31276 The kernel runtime parameter "net.ipv4.conf.all.secure_redirects" should be set to "0". oval:org.secpod.oval:def:31337 The maximum number of concurrent login sessions per user should meet minimum requirements. oval:org.secpod.oval:def:31347 The audit rules should be configured to log information about kernel module loading and unloading. oval:org.secpod.oval:def:31296 The /etc/passwd file should be owned by the appropriate group. oval:org.secpod.oval:def:31039 Syslog logs should be sent to a remote loghost oval:org.secpod.oval:def:31236 The RPM package tftp should be installed. oval:org.secpod.oval:def:31052 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:31351 All password hashes should be shadowed. oval:org.secpod.oval:def:31096 The RPM package ypserv should be removed. oval:org.secpod.oval:def:31090 The RPM package rsh-server should be removed. oval:org.secpod.oval:def:31161 The RPM package openldap-servers should be removed. oval:org.secpod.oval:def:31295 The password difok should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:31086 Audit actions taken by system administrators on the system. oval:org.secpod.oval:def:31299 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:31354 The /etc/gshadow file should be owned by the appropriate user. oval:org.secpod.oval:def:31171 Specify UID and GID for Anonymous NFS Connections (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:31083 Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled oval:org.secpod.oval:def:31230 Ensure Default Password Is Not Used (/etc/snmp/snmpd.conf) should be configured appropriately. oval:org.secpod.oval:def:31331 The RPM package telnet should be installed. oval:org.secpod.oval:def:31264 The default umask for all users should be set correctly oval:org.secpod.oval:def:31291 The root account is the only system account that should have a login shell. oval:org.secpod.oval:def:31325 The minimum password age policy should be set appropriately. oval:org.secpod.oval:def:31231 The maximum password age policy should meet minimum requirements. oval:org.secpod.oval:def:31254 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:31293 The SSH idle timeout interval should be set to an appropriate value. oval:org.secpod.oval:def:31043 The logrotate (syslog rotater) service should be enabled. oval:org.secpod.oval:def:31292 The password warning age should be set appropriately. oval:org.secpod.oval:def:205129 sos-collector is a utility that gathers sosreports from multi-node environments. sos-collector facilitates data collection for support cases and it can be run from either a node or from an administrator"s local workstation that has network access to the environment. The following packages have been ... oval:org.secpod.oval:def:205287 The keepalived utility provides simple and robust facilities for load balancing and high availability. The load balancing framework relies on the well-known and widely used IP Virtual Server kernel module providing layer-4 load balancing. Keepalived implements a set of checkers to dynamically and ... oval:org.secpod.oval:def:204224 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:205451 KornShell is a Unix shell developed by AT&T Bell Laboratories, which is backward-compatible with the Bourne shell and includes many features of the C shell. The most recent version is KSH-93. KornShell complies with the POSIX.2 standard . Security Fix: * ksh: certain environment variables inte ... oval:org.secpod.oval:def:61189 A microarchitectural timing flaw was found on some Intel processors. In a corner case where data in-flight during the eviction process can end up in the fill buffers and not properly cleared by the MDS mitigations. The fill buffer contents (which were expected to be blank) can be inferred using MDS ... oval:org.secpod.oval:def:57647 PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL ... oval:org.secpod.oval:def:68579 A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources. oval:org.secpod.oval:def:68580 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unau ... oval:org.secpod.oval:def:68581 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. oval:org.secpod.oval:def:68584 Since the /tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:68585 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:68582 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivil ... oval:org.secpod.oval:def:68583 Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:68588 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:68589 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:68586 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:68587 Since the /var/tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:68568 Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed. oval:org.secpod.oval:def:68569 If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. oval:org.secpod.oval:def:68570 If a users recorded password change date is in the future then they could bypass any set password expiration. oval:org.secpod.oval:def:68573 auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk oval:org.secpod.oval:def:68571 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:68577 Ensure default group for the root account is GID 0 oval:org.secpod.oval:def:68578 TMOUT is an environmental setting that determines the timeout of a shell in seconds. oval:org.secpod.oval:def:68575 Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters. oval:org.secpod.oval:def:68576 chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a ... oval:org.secpod.oval:def:68591 The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. oval:org.secpod.oval:def:68592 There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. oval:org.secpod.oval:def:68590 The /home directory is used to support disk storage needs of local users. oval:org.secpod.oval:def:68595 The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:68596 It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. oval:org.secpod.oval:def:68593 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:68594 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:68599 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:68597 The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. oval:org.secpod.oval:def:68598 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. oval:org.secpod.oval:def:68559 SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only re ... oval:org.secpod.oval:def:68557 SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). oval:org.secpod.oval:def:68558 SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into ... oval:org.secpod.oval:def:68562 To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon. oval:org.secpod.oval:def:68563 To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. oval:org.secpod.oval:def:68560 Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. oval:org.secpod.oval:def:68561 The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. oval:org.secpod.oval:def:68566 The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories ... oval:org.secpod.oval:def:68567 The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. oval:org.secpod.oval:def:68564 When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access ... oval:org.secpod.oval:def:68565 Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disa ... oval:org.secpod.oval:def:68548 Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ... oval:org.secpod.oval:def:68549 Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written t ... oval:org.secpod.oval:def:68551 The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ... oval:org.secpod.oval:def:68552 Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automat ... oval:org.secpod.oval:def:68550 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system ... oval:org.secpod.oval:def:68555 iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables. oval:org.secpod.oval:def:68556 Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters. Rationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden. oval:org.secpod.oval:def:68553 The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. oval:org.secpod.oval:def:68554 Ensure LDAP Client is not installed oval:org.secpod.oval:def:68600 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:74453 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... oval:org.secpod.oval:def:74460 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:74481 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:74467 Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maint ... oval:org.secpod.oval:def:74474 The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP ... oval:org.secpod.oval:def:74439 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback net ... oval:org.secpod.oval:def:74432 Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:68647 Ensure only strong MAC algorithms are used oval:org.secpod.oval:def:68648 Ensure mounting of FAT filesystems is limited oval:org.secpod.oval:def:68645 Ensure rsyslog default file permissions configured oval:org.secpod.oval:def:68646 Ensure only strong Key Exchange algorithms are used oval:org.secpod.oval:def:68649 Disable Automounting oval:org.secpod.oval:def:68650 Ensure use of privileged commands is collected oval:org.secpod.oval:def:68651 >Ensure mail transfer agent is configured for local-only mode oval:org.secpod.oval:def:68652 Ensure auditd service is enabled and running oval:org.secpod.oval:def:68614 All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. oval:org.secpod.oval:def:68615 The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. oval:org.secpod.oval:def:68612 While the complete removal of /etc/sshd/sshd_config files is recommended if any are required on the system secure permissions must be applied. oval:org.secpod.oval:def:68613 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. oval:org.secpod.oval:def:68618 Ensure sudo log file exists oval:org.secpod.oval:def:68619 sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. oval:org.secpod.oval:def:68616 Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site po ... oval:org.secpod.oval:def:68617 The .netrcfile presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrcfiles from other systems which could pose a risk to those systems. oval:org.secpod.oval:def:68621 Ensure root is the only UID 0 account oval:org.secpod.oval:def:68622 Ensure root is the only UID 0 account oval:org.secpod.oval:def:68620 sudo can be configured to run only from a pseudo-pty oval:org.secpod.oval:def:68603 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:68604 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:68601 The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. oval:org.secpod.oval:def:68602 The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to use ... oval:org.secpod.oval:def:68607 Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. oval:org.secpod.oval:def:68608 It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information. oval:org.secpod.oval:def:68605 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:68606 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:68609 An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authent ... oval:org.secpod.oval:def:68610 An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and ... oval:org.secpod.oval:def:68611 Ensure users' home directories permissions are 750 or more restrictive oval:org.secpod.oval:def:68636 Ensure firewalld service is enabled and running oval:org.secpod.oval:def:68637 Ensure ip6tables in enabled and running oval:org.secpod.oval:def:68634 Ensure nftables is not installed or stopped and masked oval:org.secpod.oval:def:68635 Ensure cron daemon is enabled and running oval:org.secpod.oval:def:68638 Ensure iptables in enabled and running oval:org.secpod.oval:def:68639 Ensure rsyslog Service is enabled and running oval:org.secpod.oval:def:68640 Ensure rpcbind is not installed or the rpcbind services are masked oval:org.secpod.oval:def:68643 Ensure ntp is configured oval:org.secpod.oval:def:68644 Ensure ntp is configured oval:org.secpod.oval:def:68641 Ensure rsync is not installed or the rsyncd service is masked oval:org.secpod.oval:def:68642 Ensure no users have .forward files oval:org.secpod.oval:def:68625 Ensure no duplicate group names account oval:org.secpod.oval:def:68626 nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. oval:org.secpod.oval:def:68623 Ensure root is the only UID 0 account oval:org.secpod.oval:def:68624 Ensure no duplicate user names account oval:org.secpod.oval:def:68629 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:68627 Ensure iptables packages are installed oval:org.secpod.oval:def:68628 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:68632 Ensure inactive password lock is 30 days or less oval:org.secpod.oval:def:68633 Ensure nfs-utils is not installed or the nfs-server service is masked oval:org.secpod.oval:def:68630 Ensure journald is configured to write logfiles to persistent disk oval:org.secpod.oval:def:68631 Ensure journald is configured to send logs to rsyslog oval:org.secpod.oval:def:203947 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix: * It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially cra ... oval:org.secpod.oval:def:204834 The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component prov ... oval:org.secpod.oval:def:205660 The libsrtp package provides an implementation of the Secure Real-time Transport Protocol , the Universal Security Transform , and a supporting cryptographic kernel. Security Fix: * libsrtp: improper handling of CSRC count and extension header length in RTP header * libsrtp: buffer overflow in appl ... oval:org.secpod.oval:def:203933 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw was found in the way the Linux kernel"s ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 ce ... oval:org.secpod.oval:def:203988 The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel"s networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating con ... oval:org.secpod.oval:def:204022 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Linux kernel built with the 802.1Q/802.1ad VLAN OR Virtual eXtensible Local Area Network with Transparent Ethernet Bridging GRO support, is vulnerable to a stack overflow issue. It could occur while ... oval:org.secpod.oval:def:204452 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Linux kernel built with the Kernel-based Virtual Machine support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attack ... oval:org.secpod.oval:def:204520 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap and stack memory regions were adjacent to each other, an attacker could use this flaw to jump ov ... oval:org.secpod.oval:def:204720 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:204725 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions . There are three primary variants of the issue which differ in th ... oval:org.secpod.oval:def:204878 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Integer overflow in Linux"s create_elf_tables function For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page li ... oval:org.secpod.oval:def:204001 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:204146 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base . Security Fix: * It was ... oval:org.secpod.oval:def:205864 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: information disclosure during the binding of a DN For more details about the se ... oval:org.secpod.oval:def:205901 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed For more d ... oval:org.secpod.oval:def:205625 Openwsman is a project intended to provide an open source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:205634 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:205834 The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Security Fix: * hardware: buffer overflow in bluetooth firmware For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informatio ... oval:org.secpod.oval:def:205159 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: potential /proc based sandbox escape For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:205298 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:205252 The spice-gtk packages provide a GIMP Toolkit widget for Simple Protocol for Independent Computing Environments clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol. The libgovirt packages contain a library ... oval:org.secpod.oval:def:205278 The spice-gtk packages provide a GIMP Toolkit widget for Simple Protocol for Independent Computing Environments clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol. The libgovirt packages contain a library ... oval:org.secpod.oval:def:205340 The spice-gtk packages provide a GIMP Toolkit widget for Simple Protocol for Independent Computing Environments clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol. The libgovirt packages contain a library ... oval:org.secpod.oval:def:205347 The spice-gtk packages provide a GIMP Toolkit widget for Simple Protocol for Independent Computing Environments clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol. The libgovirt packages contain a library ... oval:org.secpod.oval:def:204596 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204581 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204586 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204585 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204691 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204690 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204695 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204682 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204681 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204683 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204688 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204674 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204673 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204679 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204661 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204665 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204613 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204612 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204610 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204600 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204609 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204650 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204655 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204658 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204640 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204646 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204643 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204632 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204620 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204623 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204622 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204621 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204629 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:206017 Security Fix: samba: RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205902 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.3.0 ESR. Security Fix: * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * ... oval:org.secpod.oval:def:205990 Security Fix: krb5: integer overflow vulnerabilities in PAC parsing For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205870 The Qt Image Formats in an add-on module for the core Qt Gui library that provides support for additional image formats including MNG, TGA, TIFF, WBMP, and WebP. Security Fix: * libwebp: heap-based buffer overflow in PutLE16 * libwebp: use of uninitialized value in ReadSymbol * libwebp: heap-based ... oval:org.secpod.oval:def:205919 The RPM Package Manager is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Security Fix: * rpm: Signature checks bypass via corrupted rpm package For more details about the security issue, including the impac ... oval:org.secpod.oval:def:205633 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. Security Fix: * qt: files placed by attacker can influence the working directory and lead to malicious code execution * qt: files placed by attacker can influe ... oval:org.secpod.oval:def:205835 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: loader: OOB access while loading registered ROM may lead to code execution ... oval:org.secpod.oval:def:205981 Security Fix: systemd-resolved: use-after-free when dealing with DnsStream in resolved-dns-stream.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205153 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205293 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. The following packages have been upgraded to a later upstream version: bind . Security ... oval:org.secpod.oval:def:205616 The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Security Fix: * libvpx: Denial of service in mediaserver * libvpx: Out of bounds read in vp8_norm table * libvpx: Use-after-free in ... oval:org.secpod.oval:def:205378 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Security Fix ... oval:org.secpod.oval:def:205211 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: wrong permissions in systemd admin-sock due to missi ... oval:org.secpod.oval:def:205304 The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The following packages have been upgraded to a later upstream version: elfutils . Security Fix: * elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dw ... oval:org.secpod.oval:def:206016 Security Fix: pesign: Local privilege escalation on pesign systemd service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205982 Security Fix: open-vm-tools: local root privilege escalation in the virtual machine For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205930 GEGL is a graph-based image processing framework. Security Fix: * gegl: shell expansion via a crafted pathname For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205917 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:205873 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:205863 Hivex is a library that can read and write Hive files, undocumented binary files that Windows uses to store the Windows Registry on disk. Security Fix: * hivex: Buffer overflow when provided invalid node key length For more details about the security issue, including the impact, a CVSS score, ackno ... oval:org.secpod.oval:def:205588 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix: * unbound: incomplete fix for CVE-2020-12662 in RHEL7 For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the C ... oval:org.secpod.oval:def:205669 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:205579 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix: * unbound: amplification of an incoming query into a large number of queries directed to a target * unbound: infinite loop via malformed DNS answers received from upstream servers For more detai ... oval:org.secpod.oval:def:205645 Okular is a universal document viewer developed by KDE supporting different kinds of documents, like PDF, Postscript, DjVu, CHM, XPS, ePub and others. Security Fix: * okular: local binary execution via specially crafted PDF files For more details about the security issue, including the impact, a CV ... oval:org.secpod.oval:def:205631 The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Security Fix: * mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes ... oval:org.secpod.oval:def:205147 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: Crash from assertion error when debug log level is 10 and log entr ... oval:org.secpod.oval:def:205661 The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix: * libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE ... oval:org.secpod.oval:def:205481 The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine-grained control over output format. Security Fix: * rsyslog: heap-based overflow in contrib/pmaixforwardedfrom/pmaixforward ... oval:org.secpod.oval:def:205637 Hunspell is a spell checker and morphological analyzer library and program designed for languages with rich morphology and complex word compounding or character encoding. Security Fix: * hunspell: out-of-bounds read in SuggestMgr::leftcommonsubstring in suggestmgr.cxx For more details about the sec ... oval:org.secpod.oval:def:58412 A flaw was found in samba when certain parameters were set in the samba configuration file. An unauthenticated attacker could use this flaw to escape the shared directory and access the contents of directories outside of the share. oval:org.secpod.oval:def:205432 The Apache Commons BeanUtils library provides utility methods for accessing and modifying properties of arbitrary JavaBeans. Security Fix: * apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default For more details about the security issue, including the impa ... oval:org.secpod.oval:def:205665 The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File format files. Poppler is a Portable Document Format rendering library, used by applications s ... oval:org.secpod.oval:def:205615 The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File format files. Poppler is a Portable Document Format rendering library, used by applications s ... oval:org.secpod.oval:def:205358 Pango is a library for laying out and rendering of text, with an emphasis on internationalization. Pango forms the core of text and font handling for the GTK+ widget toolkit. Security Fix: * pango: pango_log2vis_get_embedding_levels heap-based buffer overflow For more details about the security iss ... oval:org.secpod.oval:def:205654 The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics image format files. Security Fix: * libpng: does not check length of chunks against user limit For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:205514 The libosinfo packages provide a library that allows virtualization provisioning tools to determine the optimal device settings for a combination of hypervisor and operating system. Security Fix: * Libosinfo: osinfo-install-script option leaks password via command line argument For more details abo ... oval:org.secpod.oval:def:205495 The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Security Fix: * mod_auth_mellon: Open Redirect via the login?Return ... oval:org.secpod.oval:def:205332 The libssh2 packages provide a library that implements the SSH2 protocol. The following packages have been upgraded to a later upstream version: libssh2 . Security Fix: * libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read * libssh2: Out-of-bounds re ... oval:org.secpod.oval:def:205182 The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix: * libssh2: Integer overflow in transport read resulting in out of bounds write * libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write * libssh2: Integer overflow in SSH pa ... oval:org.secpod.oval:def:205322 AdvanceCOMP is a set of recompression utilities for .PNG, .MNG and .ZIP files. Security Fix: * advancecomp: null pointer dereference in function be_uint32_read in endianrw.h * advancecomp: denial of service in function adv_png_unfilter_8 in lib/png.c For more details about the security issue, incl ... oval:org.secpod.oval:def:205257 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. The vinagre packages provide the Vinagre remote desktop viewer for the GNOME desktop. The foll ... oval:org.secpod.oval:def:205320 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. The vinagre packages provide the Vinagre remote desktop viewer for the GNOME desktop. The foll ... oval:org.secpod.oval:def:205283 The blktrace packages contain a number of utilities to record the I/O trace information for the kernel to user space, and utilities to analyze and view the trace information. Security Fix: * blktrace: buffer overflow in the dev_map_read function in btt/devmap.c For more details about the security i ... oval:org.secpod.oval:def:205273 SoX is a sound file format converter. SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. Security Fix: * sox: NULL pointer dereference in startread function in xa.c For more details about the security issue, incl ... oval:org.secpod.oval:def:205351 mod_auth_openidc enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Security Fix: * mod_auth_openidc: OIDC_CLAIM and OIDCAuthNHeader not skipped in an "AuthType oauth20" configuration * mod_auth_openidc: Shows user-supplied con ... oval:org.secpod.oval:def:205146 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * libsoup: Crash in soup_cookie_jar.c:get_cookies on empty hostnames * poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph function allows denial of service * libgxps: heap based buffer over read ... oval:org.secpod.oval:def:205668 WebKitGTK+ is port of the WebKit portable web rendering engine to the GTK+ platform. These packages provide WebKitGTK+ for GTK+ 3. The following packages have been upgraded to a later upstream version: webkitgtk4 . Security Fix: * webkitgtk: Multiple security issues For more details about the secu ... oval:org.secpod.oval:def:205867 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.11.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 For more details about the security issue, inclu ... oval:org.secpod.oval:def:205895 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.14.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1 For more details about the security issue, including the impact, a CVSS score, ... oval:org.secpod.oval:def:205896 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.14.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1 For more details about the sec ... oval:org.secpod.oval:def:205910 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.2.0 ESR. Security Fix: * Mozilla: Use-after-free in MessageTask * Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefo ... oval:org.secpod.oval:def:205900 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.2.0. Security Fix: * Mozilla: Use-after-free in MessageTask * Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * Mozilla: Memory safety bugs fixed i ... oval:org.secpod.oval:def:205907 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Security Fix: * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to X ... oval:org.secpod.oval:def:205931 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.5.0. Security Fix: * Mozilla: Iframe sandbox bypass with XSLT * Mozilla: Race condition when playing audio files * Mozilla: Heap-buffer-overflow in blendGaussianBlur * Mozilla: Use-after- ... oval:org.secpod.oval:def:205928 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.5.0 ESR. Security Fix: * Mozilla: Iframe sandbox bypass with XSLT * Mozilla: Race condition when playing audio files * Mozilla: Heap-buffer-ove ... oval:org.secpod.oval:def:205992 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:205993 Security Fix: Mozilla: Service Workers might have learned size of cross-origin media files Mozilla: Fullscreen notification bypass Mozilla: Use-after-free in InputStream implementation Mozilla: Use-after-free of a JavaScript Realm Mozilla: Fullscreen notification bypass via windowName Mozilla: ... oval:org.secpod.oval:def:205523 The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol , including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which us ... oval:org.secpod.oval:def:205905 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix: * freerdp: improper client input validation for gateway connections allows to ov ... oval:org.secpod.oval:def:204733 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:204752 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ... oval:org.secpod.oval:def:205842 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix: * ImageMagick: Shell injection via PDF password could result in arbitrary code execution For more details about the security issue, including the impact, a CVS ... oval:org.secpod.oval:def:205995 Security Fix: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the ... oval:org.secpod.oval:def:204824 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:204829 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:205459 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:203429 The GNU Bourne Again shell is a shell and command language interpreter compatible with the Bourne shell . Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override o ... oval:org.secpod.oval:def:203485 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. ... oval:org.secpod.oval:def:203475 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A buffer overflow flaw was found in the Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_thumbnail function to crash or, possibly, execute arbitrary code with the p ... oval:org.secpod.oval:def:203468 The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when process ... oval:org.secpod.oval:def:203467 Wireshark is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network. Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the ... oval:org.secpod.oval:def:203453 The rsyslog packages provide an enhanced, multi-threaded syslog daemon that supports writing to relational databases, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grained output format control. A flaw was found in the way rsyslog handled invalid log message p ... oval:org.secpod.oval:def:203451 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:203458 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:203459 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203497 The RPM Package Manager is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, descripti ... oval:org.secpod.oval:def:203403 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An off-by-one heap-based buffer overflow flaw was found in glibc"s ... oval:org.secpod.oval:def:203407 HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject"s Common Name field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using ... oval:org.secpod.oval:def:203444 Apache Xerces for Java is a high performance, standards compliant, validating XML parser written in Java. The xerces-j2 packages provide Xerces-J version 2. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specia ... oval:org.secpod.oval:def:203435 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP"s fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. A buffer overflow flaw was found in the way the File Information extension processed ... oval:org.secpod.oval:def:203439 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS parsed ASN.1 inp ... oval:org.secpod.oval:def:203412 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203411 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203417 Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject"s Common Name field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.5 ... oval:org.secpod.oval:def:203416 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid. Red Hat would ... oval:org.secpod.oval:def:203594 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203598 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A ... oval:org.secpod.oval:def:203586 The setroubleshoot packages provide tools to help diagnose SELinux problems. When Access Vector Cache messages are returned, an alert can be generated that provides information about the problem and helps to track its resolution. It was found that setroubleshoot did not sanitize file names supplied ... oval:org.secpod.oval:def:203583 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A ... oval:org.secpod.oval:def:203523 The Network Time Protocol is used to synchronize a computer"s time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd"s crypto_recv, ctl_putdata, and configure functions. A remote attacker could use either of these flaws to send a specially crafted request packet ... oval:org.secpod.oval:def:203528 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS fault on an erroneous return to user space. A local, unprivileged user could use this flaw to es ... oval:org.secpod.oval:def:203515 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requireme ... oval:org.secpod.oval:def:203502 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203507 The libXfont packages provide the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. A use-after-free flaw was found in the way libXfont processed certain font files when attempting to add a new directory to the font path. A malicious, local user could exp ... oval:org.secpod.oval:def:203563 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specia ... oval:org.secpod.oval:def:203567 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203543 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to ... oval:org.secpod.oval:def:203547 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to ... oval:org.secpod.oval:def:203535 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203537 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:204196 A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. A buffer overflow was found in the KADM5 administration server when it was used with an LDAP b ... oval:org.secpod.oval:def:203601 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203600 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the pr ... oval:org.secpod.oval:def:204216 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A ... oval:org.secpod.oval:def:203368 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203355 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use th ... oval:org.secpod.oval:def:203354 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the way the sys_recvfile function of nmbd, the NetBIOS message bloc ... oval:org.secpod.oval:def:203395 OpenSSL is a toolkit that implements the Secure Sockets Layer , Transport Layer Security , and Datagram Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A race condition was found in the way OpenSSL handled ServerHello messages with an included S ... oval:org.secpod.oval:def:204231 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the pr ... oval:org.secpod.oval:def:203382 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP"s fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. A denial of service flaw was found in the File Information extension rules for detec ... oval:org.secpod.oval:def:203377 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use th ... oval:org.secpod.oval:def:203875 OpenSSH is OpenBSD"s SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access ... oval:org.secpod.oval:def:203869 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND parsed signature records for DNAME re ... oval:org.secpod.oval:def:203890 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:203898 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:203897 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:203899 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:203824 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND processed certain malformed Address P ... oval:org.secpod.oval:def:204055 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204059 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204029 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A race condition was found in the way the Linux kernel"s memory subsystem handled the copy-on-write breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to ... oval:org.secpod.oval:def:204084 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote atta ... oval:org.secpod.oval:def:204086 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204079 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A denial of service flaw was found in the way BIND processed a response ... oval:org.secpod.oval:def:204454 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the ... oval:org.secpod.oval:def:204439 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204012 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A denial of service flaw was found in the way BIND constructed a respons ... oval:org.secpod.oval:def:204017 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.4.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204481 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. The following packages have been upgraded to a newer ... oval:org.secpod.oval:def:204004 Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially,execute arbitrary code with the privileges of the user running Firefox oval:org.secpod.oval:def:204487 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. The following packages have been upgraded to a newer ... oval:org.secpod.oval:def:204002 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A security flaw was found in the Linux kernel in the mark_source_chains function in net/ipv4/netfilter/ip_tables.c. It is possible for a user-supplied ipt_entry structure to have a large next_offset ... oval:org.secpod.oval:def:204464 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.8.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:203512 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND followed DNS delegations. A remote at ... oval:org.secpod.oval:def:203986 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix: * Quick Emulator built with the Block driver for iSCSI images support is vulnerable to a heap buffer overflow ... oval:org.secpod.oval:def:203974 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to complete ... oval:org.secpod.oval:def:203557 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. ... oval:org.secpod.oval:def:203541 OpenSSL is a toolkit that implements the Secure Sockets Layer , Transport Layer Security , and Datagram Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the DTLS implementation of OpenSSL. A remote att ... oval:org.secpod.oval:def:203908 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:203901 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:203905 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:203966 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly use ... oval:org.secpod.oval:def:203969 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to complete ... oval:org.secpod.oval:def:203931 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix: * An out-of-bounds read/write access flaw was found in the way QEMU"s VGA emulation with VESA BIOS Extensions ... oval:org.secpod.oval:def:204170 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A denial of service flaw was found in the way BIND handled responses con ... oval:org.secpod.oval:def:204164 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.5.0 Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute ar ... oval:org.secpod.oval:def:204147 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.5.1. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary ... oval:org.secpod.oval:def:40649 The host is installed with samba or samb4 on centOS 7 or centOS 6 and is prone to a remote code execution vulnerability. A flaw is present in the application, which fails to properly handle unknown vectors. Successful exploitation could allow attackers to execute malicious code. oval:org.secpod.oval:def:204132 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb . Security Fix: * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. ... oval:org.secpod.oval:def:204122 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.1 ESR. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privil ... oval:org.secpod.oval:def:204105 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.7.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204109 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote atta ... oval:org.secpod.oval:def:203644 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. An invalid free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could ... oval:org.secpod.oval:def:203632 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU"s virtual Floppy Disk Controller handled FIFO buffer access wh ... oval:org.secpod.oval:def:203636 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A ... oval:org.secpod.oval:def:203612 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the ... oval:org.secpod.oval:def:203610 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the ... oval:org.secpod.oval:def:203615 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the ... oval:org.secpod.oval:def:203684 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was discovered in Mozilla Firefox that could be used to violate the same-origin policy and inject web script into a non-privileged part of the built-in PDF file viewer . An attac ... oval:org.secpod.oval:def:203676 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remot ... oval:org.secpod.oval:def:204526 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * It was found that the original fix for CVE-2017- ... oval:org.secpod.oval:def:203661 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:204512 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * A flaw was found in the way sudo parsed tty info ... oval:org.secpod.oval:def:203668 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. I ... oval:org.secpod.oval:def:204508 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A remote code execution flaw was found in Samba. A malicious authe ... oval:org.secpod.oval:def:205529 Expat is a C library for parsing XML documents. Security Fix: * expat: Integer overflow leading to buffer overflow in XML_GetBuffer For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the Refe ... oval:org.secpod.oval:def:203736 OpenLDAP is an open source suite of Lightweight Directory Access Protocol applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap package contains configuration files, libraries, and docum ... oval:org.secpod.oval:def:203792 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND processed certain records with malfor ... oval:org.secpod.oval:def:203724 Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. A flaw was found in the way NSS verified certain ECDSA signatures. Under certain conditions, an attacker could use this flaw to conduct signature forge ... oval:org.secpod.oval:def:203723 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND parsed certain malformed DNSSEC keys. ... oval:org.secpod.oval:def:203705 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privil ... oval:org.secpod.oval:def:204892 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: A bug in the UTF-8 decoder can lead to DoS For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:204472 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid character ... oval:org.secpod.oval:def:204699 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in Tomcat"s handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to b ... oval:org.secpod.oval:def:204677 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a later upstream version: tomcat . Security Fix: * The Realm implementations did not process the supplied password if the supplied user name did not exist. This ... oval:org.secpod.oval:def:204545 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in the error page mechanism in Tomcat"s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the remova ... oval:org.secpod.oval:def:204023 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application de ... oval:org.secpod.oval:def:205994 Security Fix: xorg-x11-server: buffer overflow in _GetCountedString in xkb/xkb.c xorg-x11-server: memory leak in ProcXkbGetKbdByName in xkb/xkb.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page lis ... oval:org.secpod.oval:def:205927 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: SProcRenderCompositeGlyphs out-of-bounds access * xorg-x11-server: SProcXFixesCreatePointerBar ... oval:org.secpod.oval:def:205300 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:205291 libwpd is a library for reading and converting Corel WordPerfect Office documents. Security Fix: * libwpd: NULL pointer dereference in the function WP6ContentListener::defineTable in WP6ContentListener.cpp For more details about the security issue, including the impact, a CVSS score, acknowledgment ... oval:org.secpod.oval:def:205656 The Audio File library is an implementation of the Audio File Library from SGI, which provides an API for accessing audio file formats like AIFF/AIFF-C, WAVE, and NeXT/Sun .snd/.au files. Security Fix: * audiofile: Heap-based buffer overflow in Expand3To4Module::run when running sfconvert * audiofi ... oval:org.secpod.oval:def:205346 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Security Fix ... oval:org.secpod.oval:def:205516 The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts , and pcmcia configuration files. Security Fix: * bluez: failure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized ... oval:org.secpod.oval:def:205506 The zziplib is a lightweight library to easily extract data from zip files. Security Fix: * zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:205302 The libcgroup packages provide tools and libraries to control and monitor control groups. Security Fix: * libcgroup: cgrulesengd creates log files with insecure permissions For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:205326 Uriparser is a URI parsing library, which is written in C and strictly complies with RFC 3986. Security Fix: * uriparser: Out-of-bounds write via uriComposeQuery* or uriComposeQueryEx* function * uriparser: Integer overflow via uriComposeQuery* or uriComposeQueryEx* function For more details about ... oval:org.secpod.oval:def:205263 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix: * binutils: integer overflow leads ... oval:org.secpod.oval:def:205507 The libqb packages provide a library with the primary purpose of providing high performance client/server reusable features, such as high performance logging, tracing, inter-process communication, and polling. Security Fix: * libqb: Insecure treatment of IPC files For more details about the securi ... oval:org.secpod.oval:def:205299 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: getaddrinfo should reject I ... oval:org.secpod.oval:def:205355 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: getaddrinfo should reject I ... oval:org.secpod.oval:def:44763 The host is installed with git and is prone to an input validation error vulnerability. A flaw is present in the application, which fails to handle the terminal configuration to RCE. Successful exploitation could allow attackers to execute arbitrary commands for unverified messages. oval:org.secpod.oval:def:205527 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: * squid: Incorrect pointer handling when processing ESI Responses can lead to denial of service * squid: Incorrect pointer handling in HTTP processing and certificate downl ... oval:org.secpod.oval:def:205259 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: Heap-based buffer over-read in the curl tool warning formatting For more details about the security issue, including th ... oval:org.secpod.oval:def:205664 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:205640 The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts , and pcmcia configuration files. Security Fix: * bluez: Improper access control in subsystem could result in privilege escalation and DoS For more ... oval:org.secpod.oval:def:205641 The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities. Security Fix: * python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images For more ... oval:org.secpod.oval:def:205223 Vim is an updated and improved version of the vi editor. Security Fix: * vim/neovim: ":source!" command allows arbitrary command execution via modelines For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE p ... oval:org.secpod.oval:def:205623 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205380 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Improper handling of Kerberos proxy credentials * OpenJDK: Unexpected exception thrown during regular expression processing in Nashorn * OpenJD ... oval:org.secpod.oval:def:205381 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler * OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection * OpenJDK: ... oval:org.secpod.oval:def:205376 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Improper handling of Kerberos proxy credentials * OpenJDK: Unexpected exception thrown during regular expression processing in Nashorn * OpenJDK ... oval:org.secpod.oval:def:205341 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: * openssh: User enumeration via malformed packets in authentication requests For more details abo ... oval:org.secpod.oval:def:205339 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Improper handling of user with uid > INT_MAX leading to authentication bypa ... oval:org.secpod.oval:def:205491 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Improper authorization in polkit_backend_interactive_authority_check_authoriza ... oval:org.secpod.oval:def:205427 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:205447 The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities. Security Fix: * python-pillow: improperly restricted operations on memory buffer in libImaging/PcxDecode ... oval:org.secpod.oval:def:205868 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: ide: atapi: OOB access while processing read commands For more details abo ... oval:org.secpod.oval:def:205144 Perl is a high-level programming language that is commonly used for system administration utilities and web programming. Security Fix: * perl: Integer overflow leading to buffer overflow in Perl_my_setenv For more details about the security issue, including the impact, a CVSS score, and other relat ... oval:org.secpod.oval:def:205140 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. The following packages have been upgraded to a later upstream version: gnutls . Security Fix: * gnutls: HMAC-SHA-256 vulnerable to Lucky thirtee ... oval:org.secpod.oval:def:50198 CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output oval:org.secpod.oval:def:205185 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix: * freerdp: Integer truncation leading to heap-based buffer overflow in update_re ... oval:org.secpod.oval:def:205723 Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All applications using SPICE must be restarted for this update to take effect. oval:org.secpod.oval:def:205728 Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update ... oval:org.secpod.oval:def:37804 The host installed with kernel package on CentOS 5, 6 or 7 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to properly handle the copy-on-write (COW) breakage of private read-only memory mappings. Successful exploitation could allow attackers t ... oval:org.secpod.oval:def:205898 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: Use after free via namespace node in XPointer ranges For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informa ... oval:org.secpod.oval:def:37184 The host is installed with MySQL 5.1.73 and earlier on Centos 6, mariadb 5.5.50 and earlier on Centos 7 or MySQL 5.0.95 and earlier on Centos 5 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to properly handle MySQL logging functions. Successf ... oval:org.secpod.oval:def:205921 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover * mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover * mailman: CSRF protection missing in the user options pag ... oval:org.secpod.oval:def:36751 The host is installed with Linux kernel and is prone to a TCP session hijack vulnerability. A flaw is present in the application, which fails to handle a blind in-window attack. Successful exploitation allows man-in-the-middle attackers to hijack TCP sessions. oval:org.secpod.oval:def:205275 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources * tomcat: Late application of security constraints can lead to resource e ... oval:org.secpod.oval:def:205270 The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix: * procps-ng, procps: Local privilege escalation in top For more details about the security issue, i ... oval:org.secpod.oval:def:205353 The zziplib is a lightweight library to easily extract data from zip files. Security Fix: * zziplib: Bus error caused by loading of a misaligned address inzzip/zip.c * zziplib: Memory leak triggered in the function __zzip_parse_root_directory in zip.c For more details about the security issue, inc ... oval:org.secpod.oval:def:205303 Exempi provides a library for easy parsing of XMP metadata. It is a port of Adobe XMP SDK to work on UNIX and to be build with GNU automake. It includes XMPCore and XMPFiles. Security Fix: * exempi: Infinite Loop in Chunk class in XMPFiles/source/FormatSupport/RIFF.cpp * exempi: Use after free via ... oval:org.secpod.oval:def:205315 The Archive::Tar module provides a mechanism for Perl scripts to manipulate tar archive files. Security Fix: * perl: Directory traversal in Archive::Tar For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pa ... oval:org.secpod.oval:def:205840 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.8.0 ESR. Security Fix: * Mozilla: Content Security Policy violation report could have contained the destination of a redirect * Mozilla: Content ... oval:org.secpod.oval:def:205841 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.8.0. Security Fix: * Mozilla: Content Security Policy violation report could have contained the destination of a redirect * Mozilla: Content Security Policy violation report could have cont ... oval:org.secpod.oval:def:205139 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:205522 The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix: * cups: Local privilege escalation to root due to insecure environment variable handling * cups: Manipulation of cupsd.conf by a local attacker resulting in limited read ... oval:org.secpod.oval:def:205256 The python-requests package contains a library designed to make HTTP requests easy for developers. Security Fix: * python-requests: Redirect from HTTPS to HTTP does not remove Authorization header For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ot ... oval:org.secpod.oval:def:205290 The libmspack packages contain a library providing compression and extraction of the Cabinet file format used by Microsoft. Security Fix: * libmspack: Out-of-bounds write in mspack/cab.h * libmspack: chmd_read_headers fails to reject filenames containing NULL bytes For more details about the secu ... oval:org.secpod.oval:def:205280 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205281 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205289 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: Slirp: information leakage in tcp_emu due to uninitialized stack variables ... oval:org.secpod.oval:def:205279 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205308 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205309 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205343 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205331 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205321 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: MyISAM unspecified vulnerability * mysql: Server: Security: Privileges unspecified vulnerabilit ... oval:org.secpod.oval:def:205314 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205312 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:205724 Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. oval:org.secpod.oval:def:205490 The texlive packages contain TeXLive, an implementation of TeX for Linux or UNIX systems. Security Fix: * texlive: Buffer overflow in t1_check_unusual_charstring function in writet1.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related i ... oval:org.secpod.oval:def:205435 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * libX11: Crash on invalid reply in XListExtensions in ListExt.c * libX11: Off-by-one error in XListExtensions in ... oval:org.secpod.oval:def:205142 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:50167 An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. oval:org.secpod.oval:def:50168 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. oval:org.secpod.oval:def:50169 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-jou ... oval:org.secpod.oval:def:205132 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * ruby: OpenSSL::X509::Name equality check does not work correctly For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:205120 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:205127 The python-paramiko package provides a Python module that implements the SSH2 protocol for encrypted and authenticated connections to remote machines. Unlike SSL, the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. The protocol also includes the abili ... oval:org.secpod.oval:def:205171 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Open redirect in default servlet For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:205548 LFTP is a file transfer utility for File Transfer Protocol , Secure File Transfer Protocol , Hypertext Transfer Protocol , and other commonly used protocols. It uses the readline library for input, and provides support for bookmarks, built-in monitoring, job control, and parallel transfer of multipl ... oval:org.secpod.oval:def:205537 The gettext packages provide a documentation for producing multi-lingual messages in programs, set of conventions about how programs should be written, a runtime library, and a directory and file naming organization for the message catalogs. Security Fix: * gettext: double free in default_add_messag ... oval:org.secpod.oval:def:205550 The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format binary files, system libraries, RPM packages, and different graphics formats. Security Fix: * file: out-of-boun ... oval:org.secpod.oval:def:205504 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: IMAP header caching path traversal vulnerability For more details about the secu ... oval:org.secpod.oval:def:205261 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:205267 The libguestfs-winsupport package adds support for Windows guests to libguestfs, a set of tools and libraries allowing users to access and modify virtual machine disk images. Security Fix: * ntfs-3g: heap-based buffer overflow leads to local root privilege escalation For more details about the sec ... oval:org.secpod.oval:def:205276 The compat-libtiff3 package provides libtiff 3, an older version of libtiff library for manipulating TIFF image format files. Security Fix: * libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory causes a denial of service For more details about the security issue, including the impa ... oval:org.secpod.oval:def:50200 openssh: scp client improper directory name validation oval:org.secpod.oval:def:205658 The libwmf packages provide a library for reading and converting Windows Metafile Format vector graphics. The library is used by applications such as GIMP and ImageMagick. Security Fix: * gd: double free in the gdImage*Ptr in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c For more details about the securi ... oval:org.secpod.oval:def:205208 The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix: * wget: do_conversion heap-based buffer overflow vulnerability For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informatio ... oval:org.secpod.oval:def:205209 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * rubygems: Installing a malicious gem may lead to arbitrary code execution * rubygems: Escape sequence injection vulnerability in gem ... oval:org.secpod.oval:def:205305 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:205345 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: NULL pointer dereference after running qemuAgentComm ... oval:org.secpod.oval:def:205324 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:205497 AdvanceCOMP is a set of recompression utilities for .PNG, .MNG and .ZIP files. Security Fix: * advancecomp: integer overflow in png_compress in pngex.cc For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pa ... oval:org.secpod.oval:def:205486 Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other pe ... oval:org.secpod.oval:def:50472 It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system and execute commands. oval:org.secpod.oval:def:205137 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.4.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * Mozilla: Memory corruption in Angle * Mozilla: ... oval:org.secpod.oval:def:50197 CVE-2019-6109 openssh: Missing character encoding in progress display allows for spoofing of scp client output. oval:org.secpod.oval:def:205125 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.3.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 * Mozilla: Crash with nested event loops * Mozilla: Integer overflow during Unicode conversion whi ... oval:org.secpod.oval:def:50199 CVE-2019-6111 openssh: Improper validation of object names allows malicious server to overwrite files via scp client oval:org.secpod.oval:def:205180 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.1 ESR. Security Fix: * Mozilla: IonMonkey MArraySlice has incorrect alias information * Mozilla: Ionmonkey type confusion with __proto__ mutat ... oval:org.secpod.oval:def:205181 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:205176 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:205177 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: superexec operator is available * ghostscript: forceput in DefineResource ... oval:org.secpod.oval:def:205160 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205162 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:205152 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.4.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * chromium-browser, firefox: Memory corruption in Angle * Mozilla: Use-after-free with select elem ... oval:org.secpod.oval:def:205151 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:205156 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:205158 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:205535 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: TCP Pipelining doesn"t limit TCP clients on a single connection * ... oval:org.secpod.oval:def:205525 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix: * dovecot: ... oval:org.secpod.oval:def:50618 It was found that libreoffice was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system locatio ... oval:org.secpod.oval:def:205264 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205265 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205260 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205266 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205269 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205251 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205253 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205250 Poppler is a Portable Document Format rendering library, used by applications such as Evince or Okular. Security Fix: * poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc * poppler: heap-based buffer overflow in function ImageStream::getLine in Stream.cc * poppler: infinite recursi ... oval:org.secpod.oval:def:205255 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205249 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205295 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205294 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205286 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205288 Poppler is a Portable Document Format rendering library, used by applications such as Evince or Okular. Security Fix: * poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc * poppler: heap-based buffer overflow in function ImageStream::getLine in Stream.cc * poppler: infinite recursi ... oval:org.secpod.oval:def:205666 libsndfile is a C library for reading and writing files containing sampled sound, such as AIFF, AU, or WAV. Security Fix: * libsndfile: buffer over-read in the function i2alaw_array in alaw.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other r ... oval:org.secpod.oval:def:205651 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. The Intelligent Input Bus is an input method f ... oval:org.secpod.oval:def:205643 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. The Intelligent Input Bus is an input method f ... oval:org.secpod.oval:def:205226 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.7.2. Security Fix: * Mozilla: Type confusion in Array.pop * thunderbird: Stack buffer overflow in icalrecur_add_bydayrules in icalrecur.c * Mozilla: Sandbox escape using Prompt:Open * thu ... oval:org.secpod.oval:def:205227 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.7.2 ESR. Security Fix: * Mozilla: Type confusion in Array.pop * Mozilla: Sandbox escape using Prompt:Open For more details about the security i ... oval:org.secpod.oval:def:205215 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: Limiting simultaneous TCP clients is ineffective For more details ... oval:org.secpod.oval:def:205621 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix: * dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass For more details about the security issue, including the ... oval:org.secpod.oval:def:205352 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205301 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205348 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205333 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205334 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205335 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205325 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205327 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205328 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205329 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205317 Poppler is a Portable Document Format rendering library, used by applications such as Evince or Okular. Security Fix: * poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc * poppler: heap-based buffer overflow in function ImageStream::getLine in Stream.cc * poppler: infinite recursi ... oval:org.secpod.oval:def:205310 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205313 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. The following packages have been upgraded to a later upstream version: qt5-qt3d , qt5-qtbase , qt5-qtcanvas3d , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtd ... oval:org.secpod.oval:def:205498 The qt packages contain a software toolkit that simplifies the task of writing and maintaining Graphical User Interface applications for the X Window System. Security Fix: * qt5-qtbase: Double free in QXmlStreamReader * qt: Malformed PPM image causing division by zero and crash in qppmhandler.cpp ... oval:org.secpod.oval:def:205488 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: TFTP receive heap buffer overflow in tftp_receive_packet function For more details about the security issue, including ... oval:org.secpod.oval:def:205489 Doxygen can generate an online class browser and/or a reference manual from a set of documented source files. The documentation is extracted directly from the sources. Doxygen can also be configured to extract the code structure from undocumented source files. Security Fix: * doxygen: cross-site s ... oval:org.secpod.oval:def:205138 The keepalived utility provides simple and robust facilities for load balancing and high availability. The load balancing framework relies on the well-known and widely used IP Virtual Server kernel module providing layer-4 load balancing. Keepalived implements a set of checkers to dynamically and ... oval:org.secpod.oval:def:205662 The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix: * cups: DNS rebinding attacks via incorrect whitelist * cups: stack-buffer-overflow in libcups"s asn1_get_type function * cups: stack-buffer-overflow in libcups"s asn1_ ... oval:org.secpod.oval:def:205652 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: heap buffer overflow in function tftp_receive_packet For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:59044 A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction. oval:org.secpod.oval:def:205647 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix: * subversion: remotely triggerable DoS vulnerability in svnserve "get-deleted-rev ... oval:org.secpod.oval:def:205636 The libmspack packages contain a library providing compression and extraction of the Cabinet file format used by Microsoft. Security Fix: * libmspack: buffer overflow in function chmd_read_headers For more details about the security issue, including the impact, a CVSS score, acknowledgments, and o ... oval:org.secpod.oval:def:205632 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: integer overflow in _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c * libtiff: integer overflow leading to heap-based buffer overflow in tif_getimage.c For more detail ... oval:org.secpod.oval:def:205622 The cpio packages provide the GNU cpio utility for creating and extracting archives, or copying files from one place to another. Security Fix: * cpio: improper input validation when writing tar header fields leads to unexpect tar generation For more details about the security issue, including the i ... oval:org.secpod.oval:def:205628 Simple DirectMedia Layer is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. Security Fix: * SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c * SDL: heap-based buffer overflow in function MS_ADPCM_decode in audio/SDL_wa ... oval:org.secpod.oval:def:205361 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator * ghostsc ... oval:org.secpod.oval:def:205362 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. Security Fix: * kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction For more de ... oval:org.secpod.oval:def:205369 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix: * dovecot: ... oval:org.secpod.oval:def:205365 The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. Security Fix: * kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction For more de ... oval:org.secpod.oval:def:205874 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: Reconnection can downgrade connection security settings * postgresql: Multiple features escape security restricted operation sandbox * postgresql: TYPE in pg_temp executes arbitrary SQL during SECU ... oval:org.secpod.oval:def:205431 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:205544 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * bash: BASH_CMD is writable in restricted bash shells For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:205532 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:205521 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:205918 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: Reconnection can downgrade connection security settings * postgresql: Multiple features escape security restricted operation sandbox * postgresql: TYPE in pg_temp executes arbitrary SQL during SE ... oval:org.secpod.oval:def:205274 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a la ... oval:org.secpod.oval:def:205272 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a la ... oval:org.secpod.oval:def:205655 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c * libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c * libxml2: infinite loop in xmlStringLenDecodeEntitie ... oval:org.secpod.oval:def:205659 The SpamAssassin tool provides a way to reduce unsolicited commercial email from incoming email. Security Fix: * spamassassin: crafted email message can lead to DoS For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:205648 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: Server: Optimizer unspecified vulnerability * mysql: C API unspecified vulnerability * mysql: ... oval:org.secpod.oval:def:205630 OpenEXR is a high dynamic-range image file format developed by Industrial Light. Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. Security Fix: * OpenEXR: out-of-bounds read during Huffman uncompression * OpenEXR: std: ... oval:org.secpod.oval:def:205639 The librabbitmq packages provide an Advanced Message Queuing Protocol client library that allows you to communicate with AMQP servers using protocol version 0-9-1. Security Fix: * librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow For more d ... oval:org.secpod.oval:def:58236 A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on ... oval:org.secpod.oval:def:205613 OpenLDAP is an open-source suite of Lightweight Directory Access Protocol applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap packages contain configuration files, libraries, and docum ... oval:org.secpod.oval:def:205619 The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. Security Fix: * e2fsprogs: Crafted ext4 partition leads to out-of-bounds write * e2fsprogs: Out-of-bounds write in e2fsck/rehash.c For more details about th ... oval:org.secpod.oval:def:205360 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: qxl: null pointer dereference while releasing spice resources For more det ... oval:org.secpod.oval:def:205344 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a la ... oval:org.secpod.oval:def:205316 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a la ... oval:org.secpod.oval:def:205472 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.6.0 ESR. Security Fix: * Mozilla: Use-after-free when removing data about origins * Mozilla: BodyStream::OnInputStreamReady was missing protecti ... oval:org.secpod.oval:def:205425 Python-reportlab is a library used for generation of PDF documents. Security Fix: * python-reportlab: code injection in colors.py allows attacker to execute code For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to t ... oval:org.secpod.oval:def:205426 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Use of unsafe RSA-MD5 checkum in Kerberos TGS * OpenJDK: Serialization filter changes via jdk.serialFilter property modification * OpenJDK: Imp ... oval:org.secpod.oval:def:205469 The International Components for Unicode library provides robust and full-featured Unicode services. Security Fix: * ICU: Integer overflow in UnicodeString::doAppend For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:205464 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.6.0. Security Fix: * Mozilla: Use-after-free when removing data about origins * Mozilla: BodyStream::OnInputStreamReady was missing protections against state confusion * Mozilla: Use-after ... oval:org.secpod.oval:def:205450 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.5.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 * Mozilla: Out-of-bounds read when processing certain email messages * Mozilla: Setting a master p ... oval:org.secpod.oval:def:205441 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS * OpenJDK: Serialization filter changes via jdk.serialFilter property modification * OpenJDK: Im ... oval:org.secpod.oval:def:205443 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.5.0 ESR. Security Fix: * Mozilla: Missing bounds check on shared memory read in the parent process * Mozilla: Memory safety bugs fixed in Firefo ... oval:org.secpod.oval:def:205445 The ppp packages contain the Point-to-Point Protocol daemon and documentation for PPP support. The PPP protocol provides a method for transmitting datagrams over serial point-to-point links. PPP is usually used to dial in to an Internet Service Provider or other organization over a modem and phone ... oval:org.secpod.oval:def:205515 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: Server: Pluggable Auth unspecified vulnerability * mysql: Server: Security: Privileges unspecif ... oval:org.secpod.oval:def:205519 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability allows malicious listowners to inject scripts into listinfo pages * mailman: Mishandled URLs in Utils.py:GetPathPieces allows attackers to display arbitrary text on trusted ... oval:org.secpod.oval:def:205906 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c * libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c * libxml2: infinite loop in xmlStringLenDecodeEntitie ... oval:org.secpod.oval:def:205649 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. The following packages have been upgraded to a later upstream version: freerdp . Security Fix ... oval:org.secpod.oval:def:205629 The libexif packages provide a library for extracting extra information from image files. The following packages have been upgraded to a later upstream version: libexif . Security Fix: * libexif: out of bound write in exif-data.c * libexif: out of bounds read due to a missing bounds check in exif_ ... oval:org.secpod.oval:def:205607 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.12.0 ESR. Security Fix: * Mozilla: Attacker-induced prompt for extension installation * Mozilla: Use-After-Free when aborting an operation For ... oval:org.secpod.oval:def:205460 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: HandleCursorShape integer overflow resulting in heap-based buffer overflow For more details about the security issue, including the impact, a CVSS score, acknowledgmen ... oval:org.secpod.oval:def:205843 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: Out-of-bounds access in XkbSetMap function * xorg-x11-server: XkbSetDeviceInfo heap-based buff ... oval:org.secpod.oval:def:205582 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: deserialization flaw in session persistence storage leading to RCE For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:205721 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.6.1. Security Fix: * Mozilla: Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk For more details about the security issue, including the impact, a CVSS score, acknowledg ... oval:org.secpod.oval:def:205722 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.6.1 ESR. Security Fix: * Mozilla: Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk For more details about the security issu ... oval:org.secpod.oval:def:205483 Poppler is a Portable Document Format rendering library, used by applications such as Evince. The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File ... oval:org.secpod.oval:def:205484 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu For more ... oval:org.secpod.oval:def:205430 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix: * openjpeg: Heap-based buffer overflow in opj_t1_clbl_decode_processor For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informati ... oval:org.secpod.oval:def:205839 The libexif packages provide a library for extracting extra information from image files. Security Fix: * libexif: out of bounds write due to an integer overflow in exif-entry.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informa ... oval:org.secpod.oval:def:205837 Perl is a high-level programming language that is commonly used for system administration utilities and web programming. Security Fix: * perl: heap-based buffer overflow in regular expression compiler leads to DoS * perl: corruption of intermediate language state of compiled regular expression due ... oval:org.secpod.oval:def:205145 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer allows for potential code execution For more details about the security issue, including th ... oval:org.secpod.oval:def:205187 The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Security Fix: * mod_auth_mellon: authentication bypass in ECP flow ... oval:org.secpod.oval:def:205512 Poppler is a Portable Document Format rendering library, used by applications such as Evince. The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File ... oval:org.secpod.oval:def:205509 The unzip utility is used to list, test, and extract files from zip archives. Security Fix: * unzip: overlapping of files in ZIP container leads to denial of service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:205611 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * dnsmasq: memory leak in the create_helper function in /src/helper.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ref ... oval:org.secpod.oval:def:205899 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: integer overflow in CipherUpdate * openssl: NULL pointer dereference in X509_issuer_and_serial_hash For ... oval:org.secpod.oval:def:205893 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: Broken inbound incremental zone update can cause named to termina ... oval:org.secpod.oval:def:205872 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: XChangeFeedbackControl integer underflow leads to privilege escalation For more details about ... oval:org.secpod.oval:def:205865 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: Negative idmap cache entries can cause incorrect group entr ... oval:org.secpod.oval:def:205850 The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. Security Fix: * samba: Out of bounds read in AD DC LDAP server For more details about the security issue, including the impact, a CVSS score, acknowledgments ... oval:org.secpod.oval:def:206015 Security Fix: xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:203703 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which htt ... oval:org.secpod.oval:def:205838 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: sandbox escape via spawn portal For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the C ... oval:org.secpod.oval:def:204601 Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix: * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specia ... oval:org.secpod.oval:def:205925 Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix: * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender For more details about the security issue, including the impact, a CVSS score, acknowledgments, an ... oval:org.secpod.oval:def:205904 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: Sandbox bypass via recent VFS-manipulating syscalls For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informa ... oval:org.secpod.oval:def:205882 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: file forwarding feature can be used to gain unprivileged access to files For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ... oval:org.secpod.oval:def:204719 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * Multiple flaws were discovered in the RMI and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely byp ... oval:org.secpod.oval:def:204075 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Security Fix: * It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy function in certain cases. An untrusted Jav ... oval:org.secpod.oval:def:204493 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application u ... oval:org.secpod.oval:def:204489 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application u ... oval:org.secpod.oval:def:204578 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were discovered in the RMI and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely byp ... oval:org.secpod.oval:def:204542 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use th ... oval:org.secpod.oval:def:204669 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use th ... oval:org.secpod.oval:def:203888 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: MariaDB . Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. Security Fix: * It wa ... oval:org.secpod.oval:def:205337 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: buffer overflow in gif2tiff * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution * li ... oval:org.secpod.oval:def:203985 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb . Security Fix: * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws c ... oval:org.secpod.oval:def:204269 PCRE is a Perl-compatible regular expression library. A flaw was found in the way PCRE handled certain malformed regular expressions. This issue could cause an application linked against PCRE to crash while parsing malicious regular expressions. This update also adds the following enhancement: * S ... oval:org.secpod.oval:def:204496 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix: Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. Multiple flaws ... oval:org.secpod.oval:def:203527 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, ex ... oval:org.secpod.oval:def:203544 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute a ... oval:org.secpod.oval:def:205591 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix: * dbus: denial of service via file descriptor leak For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:205936 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: Out-of-bounds heap read/write vulnerability in VFS module v ... oval:org.secpod.oval:def:205923 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix: * samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets For more details about the securi ... oval:org.secpod.oval:def:205926 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: Active Directory domain user could become root on domain m ... oval:org.secpod.oval:def:204773 The Simple Logging Facade for Java or is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging . Security Fix: * slf4j: Deserialisation vulnerability i ... oval:org.secpod.oval:def:204025 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy function in certain cases. An untrusted Jav ... oval:org.secpod.oval:def:204141 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy function in certain cases. An untrusted Jav ... oval:org.secpod.oval:def:205593 The grub2 packages provide version 2 of the Grand Unified Boot Loader , a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. The shim package contains a first-stage ... oval:org.secpod.oval:def:205594 The grub2 packages provide version 2 of the Grand Unified Boot Loader , a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. The shim package contains a first-stage ... oval:org.secpod.oval:def:205595 The grub2 packages provide version 2 of the Grand Unified Boot Loader , a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. The shim package contains a first-stage ... oval:org.secpod.oval:def:205742 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 oval:org.secpod.oval:def:205642 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications * httpd: Out of bounds read in mod_cache_socache can allow a re ... oval:org.secpod.oval:def:204710 The Apache Portable Runtime is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix: * An out-of-bounds array dereference was found in apr_time_exp_get. An attacker could abuse an unvalidated usage of thi ... oval:org.secpod.oval:def:204761 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attack ... oval:org.secpod.oval:def:205363 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_auth_digest: access control bypass due to race condition * httpd: URL normalization inconsistency For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:205330 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * ruby: HTTP response splitting in WEBrick * ruby: DoS by large request in WEBrick * ruby: Buffer under-read in String#unpack * ruby ... oval:org.secpod.oval:def:205549 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_session_cookie does not respect expiry time * httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values * httpd: Out of bounds access afte ... oval:org.secpod.oval:def:205932 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_lua: Possible buffer overflow when parsing multipart content * httpd: mod_session: Heap overflow via a crafted SessionHeader value * httpd: NULL pointer dereference via m ... oval:org.secpod.oval:def:205909 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_proxy: SSRF via a crafted request uri-path containing unix: For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:203871 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. M ... oval:org.secpod.oval:def:203861 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util package provides a set of utilities for NSS and the Softoken module. A heap-based buffer overflow flaw was found in the way NSS parsed ... oval:org.secpod.oval:def:203802 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security . A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attack ... oval:org.secpod.oval:def:203807 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS han ... oval:org.secpod.oval:def:203840 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbi ... oval:org.secpod.oval:def:203846 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. R ... oval:org.secpod.oval:def:203833 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203820 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to cra ... oval:org.secpod.oval:def:203827 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to cra ... oval:org.secpod.oval:def:203826 The Network Time Protocol is used to synchronize a computer"s time with a referenced time source. It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would ... oval:org.secpod.oval:def:203809 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packet ... oval:org.secpod.oval:def:203814 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A ... oval:org.secpod.oval:def:203811 OpenSSH is OpenBSD"s SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak port ... oval:org.secpod.oval:def:203818 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to cra ... oval:org.secpod.oval:def:204008 Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially,execute arbitrary code with the privileges of the user running Firefox oval:org.secpod.oval:def:203999 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.3.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:203981 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.3.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:203919 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. Netscape Portable Runtime provides platform independ ... oval:org.secpod.oval:def:203921 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.1.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:203913 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to comp ... oval:org.secpod.oval:def:203911 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to comp ... oval:org.secpod.oval:def:203917 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. Netscape Portable Runtime provides platform independ ... oval:org.secpod.oval:def:203916 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. Netscape Portable Runtime provides platform independ ... oval:org.secpod.oval:def:203915 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. Netscape Portable Runtime provides platform independ ... oval:org.secpod.oval:def:203906 Graphite2 is a project within SIL"s Non-Roman Script Initiative and Language Software Development groups to provide rendering capabilities for complex non-Roman writing systems. Graphite can be used to create "smart fonts" capable of displaying writing systems with various complex behavior ... oval:org.secpod.oval:def:203962 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.2.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:203950 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.2.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:203940 The Network Time Protocol is used to synchronize a computer"s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix: * It was found that when NTP was configure ... oval:org.secpod.oval:def:203929 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Security Fix: * Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to comp ... oval:org.secpod.oval:def:203935 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 38.8.0. Security Fix: * Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitr ... oval:org.secpod.oval:def:204167 The Network Time Protocol is used to synchronize a computer"s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix: * It was found that the fix for CVE-2014-9 ... oval:org.secpod.oval:def:204158 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. The following packages have been upgraded to a newer ... oval:org.secpod.oval:def:204192 The libpng packages contain a library of functions for creating and manipulating PNG image format files. It was discovered that the png_get_PLTE and png_set_PLTE functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to ... oval:org.secpod.oval:def:204198 The libpng12 packages contain a library of functions for creating and manipulating PNG image format files. It was discovered that the png_get_PLTE and png_set_PLTE functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried t ... oval:org.secpod.oval:def:204123 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services libraries. The following packages have been upgraded to a newer ... oval:org.secpod.oval:def:204101 The Network Time Protocol is used to synchronize a computer"s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix: * It was found that when ntp is configured ... oval:org.secpod.oval:def:203687 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:204205 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A ... oval:org.secpod.oval:def:203761 Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overf ... oval:org.secpod.oval:def:203766 Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overf ... oval:org.secpod.oval:def:203751 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to c ... oval:org.secpod.oval:def:203750 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to c ... oval:org.secpod.oval:def:203759 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203757 Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overf ... oval:org.secpod.oval:def:203740 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. T ... oval:org.secpod.oval:def:203745 The Network Time Protocol is used to synchronize a computer"s time with a referenced time source. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that ... oval:org.secpod.oval:def:203731 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203789 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with th ... oval:org.secpod.oval:def:203774 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to c ... oval:org.secpod.oval:def:203709 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. N ... oval:org.secpod.oval:def:203714 gdk-pixbuf is an image loading library that can be extended by loadable modules for new image formats. It is used by toolkits such as GTK+ or clutter. An integer overflow, leading to a heap-based buffer overflow, was found in the way gdk-pixbuf, an image loading library for GNOME, scaled certain bit ... oval:org.secpod.oval:def:204793 The Network Time Protocol is used to synchronize a computer"s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix: * ntp: Authenticated DoS via Malicious Con ... oval:org.secpod.oval:def:205271 The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix: * libjpeg: null pointer de ... oval:org.secpod.oval:def:204783 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Qemu: vga: OOB read access during display update * Qemu: Slirp: use-after-free w ... oval:org.secpod.oval:def:204717 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * Quick Emulator , compiled with the PC System Emulator with multiboot feature supp ... oval:org.secpod.oval:def:205612 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: seccomp: blacklist is not applied to all threads * QEMU: vnc: memory leaka ... oval:org.secpod.oval:def:205190 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Font layout engine out of bounds access setCurrGlyphID * OpenJDK: Slow conversion of BigDecimal to long * OpenJDK: Incorrect skeleton selection ... oval:org.secpod.oval:def:205191 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Slow conversion of BigDecimal to long * OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling For more details abo ... oval:org.secpod.oval:def:205196 OVMF is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * edk2: Buffer Overflow in BlockIo service for RAM disk For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:205194 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: Font layout engine out of bounds access setCurrGlyphID * OpenJDK: Slow conversion of BigDecimal to long * OpenJDK: Incorrect skeleton selection ... oval:org.secpod.oval:def:204475 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed t ... oval:org.secpod.oval:def:205318 The Network Time Protocol is used to synchronize a computer"s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix: * ntp: Stack-based buffer overflow in ntpq ... oval:org.secpod.oval:def:204859 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: insufficient index validation in PatternSyntaxException getMessage For more details about the security issue, including the impact, a CVSS score, ... oval:org.secpod.oval:def:204893 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restr ... oval:org.secpod.oval:def:204863 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: insufficient index validation in PatternSyntaxException getMessage For more details about the security issue, including the impact, a CVSS score, ... oval:org.secpod.oval:def:204815 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: cirrus: OOB access when updating VGA display For more details about the se ... oval:org.secpod.oval:def:204817 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: Resource exhaustion via qemuMonitorIORead method * ... oval:org.secpod.oval:def:205499 The wireshark packages contain a network protocol analyzer used to capture and browse the traffic running on a computer network. Security Fix: * wireshark: Out-of-bounds read in packet-ldss.c * wireshark: Multiple dissectors could crash * wireshark: DICOM dissector infinite loop * wireshark: Ba ... oval:org.secpod.oval:def:204143 Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space. Security Fix: * Multiple flaws were found in the way nettle imple ... oval:org.secpod.oval:def:46444 Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis. oval:org.secpod.oval:def:205141 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a later upstream version: libvir ... oval:org.secpod.oval:def:205121 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: Incorrect permission check in Xorg X server allows for privilege escalation For more details a ... oval:org.secpod.oval:def:205128 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction * OpenJDK: Incorrect handling of unsigned at ... oval:org.secpod.oval:def:205123 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restri ... oval:org.secpod.oval:def:205166 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information, ... oval:org.secpod.oval:def:205167 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:205168 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:205510 Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix: * python-twisted: Improper neutralization of CRLF characters in URIs and HTTP metho ... oval:org.secpod.oval:def:205586 The Network Time Protocol is used to synchronize a computer"s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix: * ntp: ntpd using highly predictable trans ... oval:org.secpod.oval:def:204627 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * An out-of-bounds memory access issue was found in Quick Emulator in the VNC disp ... oval:org.secpod.oval:def:205892 Hivex is a library that can read and write Hive files, undocumented binary files that Windows uses to store the Windows Registry on disk. Security Fix: * hivex: stack overflow due to recursive call of _get_children For more details about the security issue, including the impact, a CVSS score, ackno ... oval:org.secpod.oval:def:205268 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: 0-byte record padding oracle * openssl: timing side channel attack in the DSA signature algorithm For mo ... oval:org.secpod.oval:def:204438 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly u ... oval:org.secpod.oval:def:205311 OVMF is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * edk2: Privilege escalation via processing of malformed files in TianoCompress.c * edk2: Privilege escalation via processing of malformed files in Bas ... oval:org.secpod.oval:def:204832 Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Security Fix: * xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:205170 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures For more details about the security issu ... oval:org.secpod.oval:def:204617 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. The following packages have been upgraded to a later upstream version: gnutls . Security Fix: * A double-free flaw was found in the way GnuTLS p ... oval:org.secpod.oval:def:204870 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams * QEMU ... oval:org.secpod.oval:def:87671 A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally by OpenSSL to support the SMIME, CMS, and PKCS7 streaming capabilities, but it may also be c ... oval:org.secpod.oval:def:87672 A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (for example, "CERTIFICATE"), any header data, and the payload data. If the function succeeds, then the "name_out," "header," and ... oval:org.secpod.oval:def:87669 A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages fo ... oval:org.secpod.oval:def:205924 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.4.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4 * Mozilla: URL leakage when navigating while execut ... oval:org.secpod.oval:def:50664 runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacke ... oval:org.secpod.oval:def:205922 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: * nss: Memory corruption in decodeECorDsaSignature with DSA signatures For more details about the security issue, including the impa ... oval:org.secpod.oval:def:203639 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS protocol composes the Diffie-Hellman key exchange. A man-in-the-middle attacker could use thi ... oval:org.secpod.oval:def:203681 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java ... oval:org.secpod.oval:def:203670 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java ... oval:org.secpod.oval:def:203667 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java ... oval:org.secpod.oval:def:203652 Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. A flaw was found in the way the TLS protocol composes the Diffie-Hellman key exchange. A man-in-the-middle attacker could use this flaw to force the us ... oval:org.secpod.oval:def:203656 Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. A flaw was found in the way the TLS protocol composes the Diffie-Hellman key exchange. A man-in-the-middle attacker could use this flaw to force the us ... oval:org.secpod.oval:def:206023 Security Fix: OpenJDK: improper connection handling during TLS handshake OpenJDK: Swing HTML parsing issue OpenJDK: incorrect enqueue of references in garbage collector OpenJDK: certificate validation issue in TLS session negotiation OpenJDK: missing string checks for NULL characters OpenJ ... oval:org.secpod.oval:def:205920 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: * openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are conf ... oval:org.secpod.oval:def:205653 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS * tomcat: session fixation when using FORM authentication For more details about the security i ... oval:org.secpod.oval:def:204119 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a newer upstream version: tomcat . Security Fix: * A CSRF flaw was found in Tomcat"s the index pages for the Manager and Host Manager applications. These applic ... oval:org.secpod.oval:def:204064 Vim is an updated and improved version of the vi editor. Security Fix: * A vulnerability was found in vim in how certain modeline options were treated. An attacker could craft a file that, when opened in vim with modelines enabled, could execute arbitrary commands with privileges of the user runnin ... oval:org.secpod.oval:def:205883 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Incorrect comparison during range check elimination * OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host * Ope ... oval:org.secpod.oval:def:205879 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Incorrect comparison during range check elimination * OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host * Open ... oval:org.secpod.oval:def:205597 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access * OpenJDK: Incomplete bounds checks in Affine Transformations * OpenJDK: Incorrec ... oval:org.secpod.oval:def:205598 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access * OpenJDK: Incomplete bounds checks in Affine Transformations * OpenJDK: Incorrect ... oval:org.secpod.oval:def:205933 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Incomplete deserialization class filtering in ObjectInputStream * OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor * OpenJDK: In ... oval:org.secpod.oval:def:205935 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Incomplete deserialization class filtering in ObjectInputStream * OpenJDK: Insufficient URI checks in the XSLT TransformerImpl * OpenJDK: Unexp ... oval:org.secpod.oval:def:205911 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Loop in HttpsServer triggered during TLS session close * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation * Ope ... oval:org.secpod.oval:def:205903 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Loop in HttpsServer triggered during TLS session close * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation * Op ... oval:org.secpod.oval:def:205638 The exiv2 packages provide a command line utility which can display and manipulate image metadata such as EXIF, LPTC, and JPEG comments. Security Fix: * exiv2: out-of-bounds read in CiffDirectory::readDirectory due to lack of size check For more details about the security issue, including the impac ... oval:org.secpod.oval:def:205359 The exiv2 packages provide a command line utility which can display and manipulate image metadata such as EXIF, LPTC, and JPEG comments. The following packages have been upgraded to a later upstream version: exiv2 . Security Fix: * exiv2: heap-buffer-overflow in Exiv2::IptcData::printStructure in s ... oval:org.secpod.oval:def:205600 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.11.0. Security Fix: * chromium-browser: Use after free in ANGLE * chromium-browser: Inappropriate implementation in WebRTC * Mozilla: Potential leak of redirect targets when loading script ... oval:org.secpod.oval:def:205604 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.11.0 ESR. Security Fix: * chromium-browser: Use after free in ANGLE * chromium-browser: Inappropriate implementation in WebRTC * Mozilla: Poten ... oval:org.secpod.oval:def:205292 The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Security Fix: * kernel: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange For more details about the security issue, incl ... oval:org.secpod.oval:def:205462 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, re ... oval:org.secpod.oval:def:61640 The host is installed with Apache Tomcat 9.x before 9.0.31, 7.x before 7.0.100 or 8.5.x before 8.5.51 and is prone to an AJP request injection vulnerability. A flaw is present in application, which fails to properly handle a regression introduced due to refactoring. Successful exploitation allows re ... oval:org.secpod.oval:def:205149 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Use-after-free due to race condition in AF_PACKET implementation * kernel: userfaultfd bypasses tmpfs file permissions For more details about the security issue, including the impact, a CV ... oval:org.secpod.oval:def:48098 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:204835 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:204959 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:204267 The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chai ... oval:org.secpod.oval:def:203849 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 protocol. An attacker can potentially use this flaw to de ... oval:org.secpod.oval:def:34293 The host is installed with Apple iTunes before 12.4.2 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash the service. oval:org.secpod.oval:def:34294 The host is installed with Apple iTunes before 12.4.2 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash the service. oval:org.secpod.oval:def:34295 The host is installed with Apple iTunes before 12.4.2 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash the service. oval:org.secpod.oval:def:34296 The host is installed with Apple Mac OS X or Server 10.11.x before 10.11.6 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow attackers to cause a system denial of service. oval:org.secpod.oval:def:203932 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to creat ... oval:org.secpod.oval:def:204176 The libxml2 library is a development toolbox providing the implementation of various XML standards. Several denial of service flaws were found in libxml2, a library providing support for reading, modifying, and writing XML and HTML files. A remote attacker could provide a specially crafted XML or HT ... oval:org.secpod.oval:def:204178 NetworkManager is a system network service that manages network devices and connections. It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs , without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of ... oval:org.secpod.oval:def:204195 NetworkManager is a system network service that manages network devices and connections. It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs , without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of ... oval:org.secpod.oval:def:204241 NetworkManager is a system network service that manages network devices and connections. It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs , without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of ... oval:org.secpod.oval:def:204233 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way delivering of benign exceptions such as #AC ... oval:org.secpod.oval:def:204238 NetworkManager is a system network service that manages network devices and connections. It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs , without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of ... oval:org.secpod.oval:def:203729 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the kernel"s implementation of the Berkeley Packet Filter . A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly ... oval:org.secpod.oval:def:203862 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 protocol. An attacker can potentially use this flaw to de ... oval:org.secpod.oval:def:203433 The GNU Bourne Again shell is a shell and command language interpreter compatible with the Bourne shell . Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environme ... oval:org.secpod.oval:def:203422 The procmail program is used for local mail delivery. In addition to just delivering mail, procmail can be used for automatic filtering, presorting, and other mail handling jobs. A heap-based buffer overflow flaw was found in procmail"s formail utility. A remote attacker could send an email with spe ... oval:org.secpod.oval:def:204757 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: * php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function For more details about the security issue, including the impact, a CVSS score, and other related information, refer t ... oval:org.secpod.oval:def:203591 The unzip utility is used to list, test, or extract files from a zip archive. A buffer overflow was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash or, possibly, execute arbitrary code when the archive was tested with unz ... oval:org.secpod.oval:def:203581 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. An invalid pointer use flaw was found in OpenSSL"s ASN1_TYPE_cmp function. A remote attacker could crash a TLS/SSL client or serve ... oval:org.secpod.oval:def:203524 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was found that the wordexp function would perf ... oval:org.secpod.oval:def:203500 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML d ... oval:org.secpod.oval:def:203551 The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A heap-based buffer overflow was found in glibc"s __ ... oval:org.secpod.oval:def:204175 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. An invalid pointer use flaw was found in OpenSSL"s ASN1_TYPE_cmp function. A remote attacker could crash a TLS/SSL client or serve ... oval:org.secpod.oval:def:204179 The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol , including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which us ... oval:org.secpod.oval:def:204190 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. An out-of-bounds read flaw was found in the way g ... oval:org.secpod.oval:def:204183 OpenSSH is OpenBSD"s SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to full ... oval:org.secpod.oval:def:203693 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. It was found that the MySQL client library permitted but did not require a client to use SSL/TLS when establishing a secure connection to a MySQL server using the "--ssl" option. A man-in-the- ... oval:org.secpod.oval:def:203655 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, ... oval:org.secpod.oval:def:204260 The Network Time Protocol is used to synchronize a computer"s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. It was found that because NTP"s access control was based ... oval:org.secpod.oval:def:204215 The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format binary files, system libraries, RPM packages, and different graphics formats. Multiple denial of service flaws ... oval:org.secpod.oval:def:204255 The unzip utility is used to list, test, or extract files from a zip archive. A buffer overflow was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash or, possibly, execute arbitrary code when the archive was tested with unz ... oval:org.secpod.oval:def:203582 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel"s Infiniband subsystem did not properly sanitize input parameters while registering memory regions from user space via the verbs API. A local user with access to a /dev/infiniba ... oval:org.secpod.oval:def:203756 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel"s VFS subsystem handled file system locks. A local, unprivileged user could use this flaw to trigger a deadlock in the kernel, causing a denial of service on the syste ... oval:org.secpod.oval:def:203401 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, and other security standards. It was found that the implementation of Internationalizing Domain ... oval:org.secpod.oval:def:203398 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, and other security standards. It was found that the implementation of Internationalizing Domain ... oval:org.secpod.oval:def:203397 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, and other security standards. It was found that the implementation of Internationalizing Domain ... oval:org.secpod.oval:def:203374 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A race condition was found in the way NSS verifie ... oval:org.secpod.oval:def:204571 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker ... oval:org.secpod.oval:def:203359 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a thread ... oval:org.secpod.oval:def:204608 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * It was discovered that the httpd"s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote ... oval:org.secpod.oval:def:204140 Expat is a C library for parsing XML documents. Security Fix: * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, pos ... oval:org.secpod.oval:def:203696 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:205455 Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Security Fix: * xerces-c: XML parser cont ... oval:org.secpod.oval:def:205889 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:206070 Security Fix: python-reportlab: code injection in paraparser.py allows code execution For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:206073 Security Fix: Mozilla: Out-of-bounds memory read in networking channels Mozilla: Alert dialog could have been spoofed on another site Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 Mozilla: Fullscreen Notification could have been hidden by select elemen ... oval:org.secpod.oval:def:206074 Security Fix: Mozilla: Out-of-bounds memory read in networking channels Mozilla: Alert dialog could have been spoofed on another site Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 Mozilla: Fullscreen Notification could have been hidden by select elemen ... oval:org.secpod.oval:def:206071 Security Fix: For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205617 FontForge is a font editor for outline and bitmap fonts. It supports a range of font formats, including PostScript , TrueType, OpenType and CID-keyed fonts. Security Fix: * fontforge: out-of-bounds write in SFD_GetFontMetaData function in sfd.c For more details about the security issue, including ... oval:org.secpod.oval:def:205453 The http-parser package provides a utility for parsing HTTP messages. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. It does not make any system calls or allocations, it does not buffer data, and it can be interrupted at any time. Depending ... oval:org.secpod.oval:def:87668 A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp ca ... oval:org.secpod.oval:def:206022 Security Fix: openssl: X.400 address type confusion in X.509 GeneralName For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:203838 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel"s keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges o ... oval:org.secpod.oval:def:203683 The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel"s netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially craft ... oval:org.secpod.oval:def:206020 Security Fix: nss: Arbitrary memory write via PKCS 12 For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:206021 Security Fix: Mozilla: Incorrect code generation during JIT compilation Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 Mozilla: Potential out-of-bounds when accessing throttled streams Mozilla: Invalid downcast in Worklets Mozilla: URL being dragged from a removed cross-o ... oval:org.secpod.oval:def:206024 Security Fix: MFSA-TMP-2023-0001 Mozilla: Double-free in libwebp Mozilla: Fullscreen notification obscured Mozilla: Potential Memory Corruption following Garbage Collector compaction Mozilla: Invalid free from JavaScript code Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.1 ... oval:org.secpod.oval:def:206025 Security Fix: Thunderbird: Revocation status of S/Mime recipient certificates was not checked Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack Mozilla: Fullscreen notification obscured Mozilla: Potential Memory Corruption following Garbage Collector compaction ... oval:org.secpod.oval:def:206072 Security Fix: pillow: Arbitrary Code Execution via the environment parameter For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. oval:org.secpod.oval:def:205620 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: Potential DoS by holding a monitor job while queryin ... oval:org.secpod.oval:def:205492 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. The following packages have been upgraded to a later upstream version: ImageMagick . Security Fix: * ImageMagick: multiple security vulnerabilities For more details about t ... oval:org.secpod.oval:def:205536 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. The following packages have been upgraded to a later upstream version: ImageMagick . Security Fix: * ImageMagick: multiple security vulnerabilities For more details about t ... oval:org.secpod.oval:def:205513 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. The following packages have been upgraded to a later upstream version: ImageMagick . Security Fix: * ImageMagick: multiple security vulnerabilities For more details about t ... oval:org.secpod.oval:def:205502 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. The following packages have been upgraded to a later upstream version: ImageMagick . Security Fix: * ImageMagick: multiple security vulnerabilities For more details about t ... oval:org.secpod.oval:def:204446 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A use-after-free flaw was found in the way the Linux kernel"s Datagram Congestion Control Protocol implementation freed SKB resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option ... oval:org.secpod.oval:def:205851 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: out-of-bounds read in libiscsi module * kernel: heap buffer overflow in the iSCSI subsystem * kernel: iscsi: unrestricted access to sessions and handles For more details about the securit ... oval:org.secpod.oval:def:206019 Security Fix: kernel: stack overflow in do_proc_dointvec and proc_skip_spaces kernel: use-after-free related to leaf anon_vma double reuse For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in ... oval:org.secpod.oval:def:205601 PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix: * postgresql-jdbc: XML external entity vulnerability in PgSQLXML This update introduces a backwards in ... oval:org.secpod.oval:def:205908 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix: * Developer environment: Unicode"s ... oval:org.secpod.oval:def:206018 Security Fix: zlib: heap-based buffer over-read and overflow in inflate in inflate.c via a large gzip header extra field For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References sect ... oval:org.secpod.oval:def:203556 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel"s SCTP implementation validated INIT chunks when performing Address Configuration Change . A remote attacker could use this flaw to crash the system by sending a speci ... oval:org.secpod.oval:def:205891 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: out-of-bounds write in xt_compat_target_from_user in net/netfilter/x_tables.c * kernel: race condition for removal of the HCI controller * kernel: powerpc: RTAS calls can be used to compro ... oval:org.secpod.oval:def:205897 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: use-after-free in route4_change in net/sched/cls_route.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:205880 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: size_t-to-int conversion vulnerability in the filesystem layer * kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan * kernel: use-after-free in show_numa_stats ... oval:org.secpod.oval:def:205929 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: perf_event_parse_addr_filter memory * kernel: fuse: fuse_do_getattr calls make_bad_inode in inappropriate situations * kernel: Heap buffer overflow in firedtv driver For more details abou ... oval:org.secpod.oval:def:205916 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informa ... oval:org.secpod.oval:def:205912 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks * kernel: powerpc: KVM guest OS users can cause host OS memory corruption * kernel: SVM nested virtualization issue in ... oval:org.secpod.oval:def:205866 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix: * glib: integer overflow in g_byt ... oval:org.secpod.oval:def:205603 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: websocket decoding buffer overflow For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:204822 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: error in exception handling leads to wrong debug stack value * Kernel: error in exception handling leads to DoS * Kernel: ipsec: xfrm: use-after-free leading to potential privilege es ... oval:org.secpod.oval:def:205881 The microcode_ctl packages provide microcode updates for Intel. Security Fix: * hw: Special Register Buffer Data Sampling * hw: Vector Register Data Sampling * hw: L1D Cache Eviction Sampling * hw: vt-d related privilege escalation * hw: improper isolation of shared resources in some Intel Proc ... oval:org.secpod.oval:def:205869 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Integer overflow in Intel Graphics Drivers * kernel: Use after free via PI futex state * kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c * kernel: Impro ... oval:org.secpod.oval:def:205580 Security Fix: * hw: Special Register Buffer Data Sampling * hw: L1D Cache Eviction Sampling * hw: Vector Register Data Sampling For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the Refer ... oval:org.secpod.oval:def:205587 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: vfio: access to disabled MMIO space of some devices may lead to DoS scenario For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relate ... oval:org.secpod.oval:def:205618 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. The following packages have been upgraded to a later upstream version: ipa . Security Fix: * js-jquery: Cross-site scripting vi ... oval:org.secpod.oval:def:205440 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * sudo: Stack based buffer overflow when pwfeedbac ... oval:org.secpod.oval:def:205657 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: use-after-free in sound/core/timer.c * kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c * kernel: race condition in smp_task_timedout and smp ... oval:org.secpod.oval:def:205467 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix: * kernel: Count overflow in FUSE request leading to use-after-free issues. * kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps ... oval:org.secpod.oval:def:205446 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: heap overflow in mwifiex_update_vs_ie function of Marvell WiFi driver * kernel: heap-based buffer overflow in mwifiex_process_country_ie function in drivers/net/wireless/marvell/mwifiex/sta ... oval:org.secpod.oval:def:205436 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix: * kernel: heap overflow in mwifiex_update_vs_ie function of Marvell WiFi driver * kernel: heap-based buffer overflow in mwifiex_process_countr ... oval:org.secpod.oval:def:205437 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * hw: TSX Transaction Asynchronous Abort * QEMU: slirp: heap buffer overflow duri ... oval:org.secpod.oval:def:205592 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: kernel: DAX hugepages not considered during mremap * kernel: buffer overflow in mwifiex_cmd_append_vsie_tlv function in drivers/net/wireless/marvell/mwifiex/scan.c * kernel: heap-based buf ... oval:org.secpod.oval:def:205534 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: out of bound read in DVB connexant driver. * kernel: Missing permissions check for request_key destination allows local attackers to add keys to keyring without Write permission * kernel: ... oval:org.secpod.oval:def:205218 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An integer overflow flaw was found in the way the Linux kernel"s networking subsystem processed TCP Selective Acknowledgment segments. While processing SACK segments, the Linux kernel"s socket buff ... oval:org.secpod.oval:def:205195 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: potential use-after-free via kvm_ioctl_create_device * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer For more details about the security issue ... oval:org.secpod.oval:def:205374 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Use-after-free in __blk_drain_queue function in block/blk-core.c * kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c * hardware: bluetooth: BR/EDR ... oval:org.secpod.oval:def:205354 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: vhost_net: infinite loop while receiving packets leads to DoS * Kernel: page cache side channel attacks * kernel: Buffer overflow in hidp_process_report * kernel: l2tp: Race condition bet ... oval:org.secpod.oval:def:50985 In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr. oval:org.secpod.oval:def:205205 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * A flaw was found in the implementation of the "fill buff ... oval:org.secpod.oval:def:205207 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw was found in the implementation of the quot;fill bufferquot;, a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that woul ... oval:org.secpod.oval:def:205201 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * A flaw was found in the implementation of the "fill buffer", a mechanis ... oval:org.secpod.oval:def:204741 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions . There are three primary variants of the issue which differ in th ... oval:org.secpod.oval:def:205364 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: hw: Spectre SWAPGS gadget vulnerability * kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results For more details about the security issue, including the impact, a CVSS score, ackn ... oval:org.secpod.oval:def:203648 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel"s implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access o ... oval:org.secpod.oval:def:205173 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Memory corruption due to incorrect socket cloning * kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks * kernel: Faulty computation of numberic bounds in the BPF v ... oval:org.secpod.oval:def:205663 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * freeradius: privilege escalation due to insecure logrotate configuration * freeradius: eap- ... oval:org.secpod.oval:def:205526 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: * php: Reflected XSS on PHAR 404 page * php: Stack-based buffer under-read in php_stream_url_wrap_http_ex in http_fopen_wrapper.c when parsing HTTP response * php: Reflected XSS vulnerability on PHA ... oval:org.secpod.oval:def:205240 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Side-channel attack risks in Elliptic Curve cryptography * OpenJDK: Insufficient checks of suppressed exceptions in deserialization * OpenJDK: ... oval:org.secpod.oval:def:205237 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: Side-channel attack risks in Elliptic Curve cryptography * OpenJDK: Insufficient checks of suppressed exceptions in deserialization * OpenJDK: ... oval:org.secpod.oval:def:205239 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Side-channel attack risks in Elliptic Curve cryptography * OpenJDK: Insufficient checks of suppressed exceptions in deserialization * OpenJDK: ... oval:org.secpod.oval:def:205297 The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities. Security Fix: * python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure * python-urllib3: CRLF injection due to not encoding the "\r\n" sequence ... oval:org.secpod.oval:def:205212 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * Mozilla: Cross-origin theft of images with creat ... oval:org.secpod.oval:def:205213 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * Mozilla: Cross-origin theft of images with createImageBitmap * Mozilla: Stealing of cross-domain ... oval:org.secpod.oval:def:205468 TODO: add package description Security Fix: * python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure * python-urllib3: CRLF injection due to not encoding the "\r\n" sequence leading to possible attack on internal service * python-urllib3: Certificati ... oval:org.secpod.oval:def:205465 The virtualenv tool creates isolated Python environments. The virtualenv tool is a successor to workingenv, and an extension of virtual-python. Security Fix: * python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure * python-urllib3: CRLF injection due ... oval:org.secpod.oval:def:205306 The libsolv packages provide a library for resolving package dependencies using a satisfiability algorithm. Security Fix: * libsolv: NULL pointer dereference in function testcase_read * libsolv: NULL pointer dereference in function testcase_str2dep_complex * libsolv: illegal address access in pool ... oval:org.secpod.oval:def:205323 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. The following packages have been upgraded to a later upstream version: ghostscript . Security Fix: * gho ... oval:org.secpod.oval:def:204890 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was discovered that the ghostscript /invalidaccess checks fail under certain condition ... oval:org.secpod.oval:def:205133 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: .tempfile file permission issues * ghostscript: shading_param incomplete t ... oval:org.secpod.oval:def:205135 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Incorrect free logic in pagedevice replacement * ghostscript: Incorrect &q ... oval:org.secpod.oval:def:205157 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: use-after-free in copydevice handling * ghostscript: access bypass in psi/ ... oval:org.secpod.oval:def:205530 libsndfile is a C library for reading and writing files containing sampled sound, such as AIFF, AU, or WAV. Security Fix: * libsndfile: stack-based buffer overflow in sndfile-deinterleave utility For more details about the security issue, including the impact, a CVSS score, acknowledgments, and oth ... oval:org.secpod.oval:def:204791 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * hw: cpu: speculative execution permission faults handling * kernel: Buffer overflow in firewire driver via crafted incoming packets * kernel: Use-after-free vulnerability in DCCP socket * Kernel: ... oval:org.secpod.oval:def:204830 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: FPU state information leakage via lazy FPU restore For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:204837 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load amp; Store instructions . It relies on the presence of a precisely-defin ... oval:org.secpod.oval:def:204836 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs ha ... oval:org.secpod.oval:def:204839 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * An industry-wide issue was found in the way many modern micro ... oval:org.secpod.oval:def:204866 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF ... oval:org.secpod.oval:def:204810 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs ha ... oval:org.secpod.oval:def:204803 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions . It ... oval:org.secpod.oval:def:204802 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * An industry-wide issue was found in the way many modern micro ... oval:org.secpod.oval:def:204807 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions . It ... oval:org.secpod.oval:def:204805 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load amp; Store instructions . It relies on the presence of a precisely-defin ... oval:org.secpod.oval:def:204825 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:204814 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:204758 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:204579 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel"s IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary ... oval:org.secpod.oval:def:204553 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feat ... oval:org.secpod.oval:def:205130 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: stack-based buffer overflow in chap_server_compute_md5 in iscsi target * kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable allows for denial of service For more details ... oval:org.secpod.oval:def:204652 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event and vfs_rename while running the rename operation agai ... oval:org.secpod.oval:def:205667 Expat is a C library for parsing XML documents. Security Fix: * expat: large number of colons in input makes parser consume high amount of resources, leading to DoS * expat: heap-based buffer over-read via crafted XML input For more details about the security issue, including the impact, a CVSS sc ... oval:org.secpod.oval:def:205644 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:204794 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: bn_sqrx8x_internal carry bug on x86_64 * openssl: Read/write after SSL object in error state * openssl: ... oval:org.secpod.oval:def:205614 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:205366 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix: * Mozilla: Sandbox escape through Firefox Sync * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and F ... oval:org.secpod.oval:def:205367 The http-parser package provides a utility for parsing HTTP messages. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. It does not make any system calls or allocations, it does not buffer data, and it can be interrupted at any time. Depending ... oval:org.secpod.oval:def:205368 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.9.0. Security Fix: * Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, a ... oval:org.secpod.oval:def:204093 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiat ... oval:org.secpod.oval:def:205342 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:203990 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * It ... oval:org.secpod.oval:def:205725 Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 oval:org.secpod.oval:def:204111 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * A v ... oval:org.secpod.oval:def:205184 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:205547 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. This package provid ... oval:org.secpod.oval:def:205518 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:204253 Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to ... oval:org.secpod.oval:def:203782 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer derefernce flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm. A remote attacked cou ... oval:org.secpod.oval:def:204091 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:203982 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:204790 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: realpath buffer underflow w ... oval:org.secpod.oval:def:205635 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: LD_PREFER_MAP_32BIT_EXEC no ... oval:org.secpod.oval:def:204503 The rpcbind utility is a server that converts Remote Procedure Call program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. Security Fix: * It was found that due to the way rpcbind uses libtirpc , a memory leak can occur whe ... oval:org.secpod.oval:def:204501 The libtirpc packages contain SunLib"s implementation of transport-independent remote procedure call documentation, which includes a library required by programs in the nfs-utils and rpcbind packages. Security Fix: * It was found that due to the way rpcbind uses libtirpc , a memory leak can occur w ... oval:org.secpod.oval:def:205836 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: buffer over-read in iconv w ... oval:org.secpod.oval:def:205539 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: Use after free triggered by XPointer paths beginning with range-to * libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate function in xpath.c * libxml2: DoS caus ... oval:org.secpod.oval:def:204642 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh . Security Fix: * A covert timin ... oval:org.secpod.oval:def:203832 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel"s key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring function. A local, unprivileged u ... oval:org.secpod.oval:def:204097 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * It was found that the Linux kernel"s IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a deni ... oval:org.secpod.oval:def:204082 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:203979 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:203960 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:203956 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an appl ... oval:org.secpod.oval:def:203934 PCRE is a Perl-compatible regular expression library. Security Fix: * Multiple flaws were found in the way PCRE handled malformed regular expressions. An attacker able to make an application using PCRE process a specially crafted regular expression could use these flaws to cause the application to c ... oval:org.secpod.oval:def:204128 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: * A flaw was found in the way certain error conditions were handled by bzread function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vuln ... oval:org.secpod.oval:def:204584 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the ... oval:org.secpod.oval:def:204533 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list in the socket buffer. The heap overflow occurred if "MAX_SKB_FRAGS + 1" parameter ... oval:org.secpod.oval:def:204506 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * It was found that the packet_set_ring function of the Linux kernel"s networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could u ... oval:org.secpod.oval:def:204616 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the ... oval:org.secpod.oval:def:203474 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * A race condition flaw was found in the way the Linux kernel"s KVM subsystem handled PIT emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. * A NUL ... oval:org.secpod.oval:def:203426 The kernel packages contain the Linux kernel, the core of any Linux operating system. * An out-of-bounds memory access flaw was found in the Linux kernel"s system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kerne ... oval:org.secpod.oval:def:203505 * A flaw was found in the way the Linux kernel"s SCTP implementation handled malformed or duplicate Address Configuration Change Chunks . A remote attacker could use either of these flaws to crash the system. * A flaw was found in the way the Linux kernel"s SCTP implementation handled the associati ... oval:org.secpod.oval:def:204270 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel"s file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a conta ... oval:org.secpod.oval:def:204263 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel"s XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to ... oval:org.secpod.oval:def:203383 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that Linux kernel"s ptrace subsystem did not properly sanitize the address-space-control bits when the program-status word was being set. On IBM S/390 systems, a local, unprivileged user could use t ... oval:org.secpod.oval:def:203372 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel"s ptrace subsystem allowed a traced process" instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user spac ... oval:org.secpod.oval:def:68572 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:68574 Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. oval:org.secpod.oval:def:97186 The noexec mount option specifies that the filesystem cannot contain executable . Rationale: Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log . oval:org.secpod.oval:def:97189 X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays Rationale: XDMCP is inherently insecure. 1. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a ... oval:org.secpod.oval:def:97192 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:97175 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:97177 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:97182 By default GNOME automatically mounts removable media when inserted as a convenience to the user. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it ... oval:org.secpod.oval:def:97184 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var. oval:org.secpod.oval:def:97181 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. The disable-user-list option controls is a list of users is displayed on the login screen. Rationale: Displaying the user list eliminates half of the Userid/Password equation that an unauthorized ... oval:org.secpod.oval:def:97197 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit. oval:org.secpod.oval:def:97194 systemd-coredump file should configured properly oval:org.secpod.oval:def:97195 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit. oval:org.secpod.oval:def:97170 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97193 Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts.Rationale:If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. oval:org.secpod.oval:def:97190 Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated.Rationale:By keeping the log ... oval:org.secpod.oval:def:97191 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:97168 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who ... oval:org.secpod.oval:def:97178 The contents of the /etc/issue file are displayed to users prior to login for local terminals. Rationale: If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. oval:org.secpod.oval:def:97171 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97172 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97173 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97187 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/log. oval:org.secpod.oval:def:97185 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home oval:org.secpod.oval:def:97180 The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It ... oval:org.secpod.oval:def:97196 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit oval:org.secpod.oval:def:97166 Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command i ... oval:org.secpod.oval:def:97167 The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins. If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system. oval:org.secpod.oval:def:97169 Ensure that the systemd-journald service is enabled to allow capturing of logging events. If the systemd-journald service is not enabled to start on boot, the system will not capture logging events. oval:org.secpod.oval:def:97174 sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user. Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events wr ... oval:org.secpod.oval:def:97179 The contents of the file /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. oval:org.secpod.oval:def:97188 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var. oval:org.secpod.oval:def:97183 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/log. oval:org.secpod.oval:def:97176 Sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. |