- Issued:
- 2008-05-20
- Updated:
- 2008-05-20
RHSA-2008:0261 - Security Advisory
Synopsis
Moderate: Red Hat Network Satellite Server security update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat Network Satellite Server version 5.0.2 is now available. This
update includes fixes for a number of security issues in Red Hat Network
Satellite Server components.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
Description
During an internal security review, a cross-site scripting flaw was found
that affected the Red Hat Network channel search feature. (CVE-2007-5961)
This release also corrects several security vulnerabilities in various
components shipped as part of the Red Hat Network Satellite Server. In a
typical operating environment, these components are not exposed to users of
Satellite Server in a vulnerable manner. These security updates will reduce
risk in unique Satellite Server environments.
Multiple flaws were fixed in the Apache HTTPD server. These flaws could
result in a cross-site scripting, denial-of-service, or information
disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197,
CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)
A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)
A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329)
Multiple cross-site scripting flaws were fixed in the image map feature in
the JFreeChart package. (CVE-2007-6306)
Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243,
CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)
Two arbitrary code execution flaws were fixed in the OpenMotif package.
(CVE-2005-3964, CVE-2005-0605)
A flaw which could result in weak encryption was fixed in the
perl-Crypt-CBC package. (CVE-2006-0898)
Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128,
CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355,
CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195,
CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)
Users of Red Hat Network Satellite Server 5.0 are advised to upgrade to
5.0.2, which resolves these issues.
Solution
This update is available via Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.0.0/html/Installation_Guide/s1-maintenance-update.html
Affected Products
- Red Hat Network Satellite 4.2,5.0 (for RHEL Server) 5.0 i386
Fixes
- BZ - 396641 - CVE-2007-5961 RHN XSS flaw
- BZ - 444136 - Bring various components of Satellite Server 5.0 up to date
CVEs
- CVE-2006-0898
- CVE-2008-0128
- CVE-2007-1355
- CVE-2007-5961
- CVE-2006-7197
- CVE-2006-1329
- CVE-2007-6306
- CVE-2007-5461
- CVE-2007-6388
- CVE-2007-5000
- CVE-2007-4465
- CVE-2007-3385
- CVE-2007-3382
- CVE-2007-2788
- CVE-2007-2789
- CVE-2007-2435
- CVE-2007-2449
- CVE-2007-2450
- CVE-2007-3304
- CVE-2006-5752
- CVE-2007-1358
- CVE-2007-1349
- CVE-2007-1860
- CVE-2006-3835
- CVE-2007-0450
- CVE-2005-2090
- CVE-2006-7196
- CVE-2006-7195
- CVE-2005-4838
- CVE-2007-0243
- CVE-2006-0254
- CVE-2005-3964
- CVE-2005-3510
- CVE-2005-0605
- CVE-2004-0885
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.