[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 42/04 - Three RedHat Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 42/04 dated 04.02.04  Time: 10:00
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Three RedHat Security Advisories:

1.  Updated kernel packages resolve minor security vulnerabilities.

2.  Updated util-linux packages fix information leak.

3.  Updated mc packages resolve buffer overflow vulnerability.


Detail
====== 

1.  Updated kernel packages are now available that fix a few security issues,
an NFS performance issue, and an e1000 driver loading issue introduced in
Update 3.

2.  Updated util-linux packages that fix an information leak in the login
program are now available.

3.  Updated mc packages that resolve a buffer overflow vulnerability are now
available.





1.                  ESB-2004.0089 -- RHSA-2004:044-01
      Updated kernel packages resolve minor security vulnerabilities
                             04 February 2004


Product:                kernel
Publisher:              Red Hat
Operating System:       Red Hat Enterprise Linux AS 2.1
                        Red Hat Enterprise Linux ES version 2.1
                        Red Hat Enterprise Linux WS version 2.1
Platform:               IA-64
                        IA-32
Impact:                 Increased Privileges
                        Reduced Security
Access Required:        Existing Account
CVE Names:              CAN-2004-0003 CAN-2003-0700 CAN-2002-1574

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated kernel packages resolve minor security vulnerabilities
Advisory ID:       RHSA-2004:044-01
Issue date:        2004-02-03
Updated on:        2004-02-03
Product:           Red Hat Enterprise Linux
Keywords:          
Cross references:  
Obsoletes:         RHSA-2003:408
CVE Names:         CAN-2002-1574 CAN-2003-0700 CAN-2004-0003
- - - ---------------------------------------------------------------------

1. Topic:

Updated kernel packages are now available that fix a few security issues,
an NFS performance issue, and an e1000 driver loading issue introduced in
Update 3.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - athlon, i386, i686
Red Hat Enterprise Linux ES version 2.1 - athlon, i386, i686
Red Hat Enterprise Linux WS version 2.1 - athlon, i386, i686

3. Problem description:

The Linux kernel handles the basic functions of the operating system.

Alan Cox found issues in the R128 Direct Render Infrastructure that
could allow local privilege escalation.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0003 to
this issue.

The C-Media PCI sound driver in Linux before 2.4.22 does not use the
get_user function to access userspace in certain conditions, which crosses
security boundaries.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0700 to this issue.

An overflow was found in the ixj telephony card driver in Linux kernels
prior to 2.4.20.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1574 to this issue.

All users are advised to upgrade to these errata packages, which contain
backported security patches that corrects these issues.  These packages
also contain a fix to enhance NFS performance, which was degraded in the
last kernel update as part of Update 3.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate.  The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

112766 - e.34 kernel breaks UDP NFS badly
113602 - CAN-2004-0003 r128 DRI
113305 - CAN-2003-0700 CMedia additional get_user issues
113300 - CAN-2002-1574 ixj telephony card driver overflow
112914 - After upgraded the latest kenerl e.34 or e.35, the Intel Pro/100 module did not load during the reboot.
113498 - modules.dep points to the wrong driver

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kernel-2.4.9-e.37.src.rpm

athlon:
Available from Red Hat Network: kernel-2.4.9-e.37.athlon.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.37.athlon.rpm

i386:
Available from Red Hat Network: kernel-BOOT-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-doc-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-headers-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-source-2.4.9-e.37.i386.rpm

i686:
Available from Red Hat Network: kernel-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-debug-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-enterprise-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-summit-2.4.9-e.37.i686.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kernel-2.4.9-e.37.src.rpm

athlon:
Available from Red Hat Network: kernel-2.4.9-e.37.athlon.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.37.athlon.rpm

i386:
Available from Red Hat Network: kernel-BOOT-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-doc-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-headers-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-source-2.4.9-e.37.i386.rpm

i686:
Available from Red Hat Network: kernel-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-debug-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.37.i686.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kernel-2.4.9-e.37.src.rpm

athlon:
Available from Red Hat Network: kernel-2.4.9-e.37.athlon.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.37.athlon.rpm

i386:
Available from Red Hat Network: kernel-BOOT-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-doc-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-headers-2.4.9-e.37.i386.rpm
Available from Red Hat Network: kernel-source-2.4.9-e.37.i386.rpm

i686:
Available from Red Hat Network: kernel-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-debug-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-enterprise-2.4.9-e.37.i686.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.37.i686.rpm



7. Verification:

MD5 sum                          Package Name
- - - --------------------------------------------------------------------------

1ea5a1908a6562967b0595e06bd4bd93 2.1AS/en/os/SRPMS/kernel-2.4.9-e.37.src.rpm
030f252f56b1914712a10882637a791c 2.1AS/en/os/athlon/kernel-2.4.9-e.37.athlon.rpm
1d819b13b87cf66ee7bdae9c4ca0ec77 2.1AS/en/os/athlon/kernel-smp-2.4.9-e.37.athlon.rpm
07204ea9a97d0650ae17607b39e3c410 2.1AS/en/os/i386/kernel-BOOT-2.4.9-e.37.i386.rpm
08f7567fe94f61c7e59072a016757906 2.1AS/en/os/i386/kernel-doc-2.4.9-e.37.i386.rpm
6c76c386fbc5afc0aba21774905845e3 2.1AS/en/os/i386/kernel-headers-2.4.9-e.37.i386.rpm
0c49a0f4868c814b15e1fd60c1adaa78 2.1AS/en/os/i386/kernel-source-2.4.9-e.37.i386.rpm
cfc5e061933e32ece12333502e97bb22 2.1AS/en/os/i686/kernel-2.4.9-e.37.i686.rpm
c3c3578babc860faa895bf6256052140 2.1AS/en/os/i686/kernel-debug-2.4.9-e.37.i686.rpm
2d4959d95a723cb67fa5d3ebe905cee2 2.1AS/en/os/i686/kernel-enterprise-2.4.9-e.37.i686.rpm
0d26a9639bdad7a9e84387ea731156bc 2.1AS/en/os/i686/kernel-smp-2.4.9-e.37.i686.rpm
cc565e3f28776f37809536f7dd39f573 2.1AS/en/os/i686/kernel-summit-2.4.9-e.37.i686.rpm
1ea5a1908a6562967b0595e06bd4bd93 2.1ES/en/os/SRPMS/kernel-2.4.9-e.37.src.rpm
030f252f56b1914712a10882637a791c 2.1ES/en/os/athlon/kernel-2.4.9-e.37.athlon.rpm
1d819b13b87cf66ee7bdae9c4ca0ec77 2.1ES/en/os/athlon/kernel-smp-2.4.9-e.37.athlon.rpm
07204ea9a97d0650ae17607b39e3c410 2.1ES/en/os/i386/kernel-BOOT-2.4.9-e.37.i386.rpm
08f7567fe94f61c7e59072a016757906 2.1ES/en/os/i386/kernel-doc-2.4.9-e.37.i386.rpm
6c76c386fbc5afc0aba21774905845e3 2.1ES/en/os/i386/kernel-headers-2.4.9-e.37.i386.rpm
0c49a0f4868c814b15e1fd60c1adaa78 2.1ES/en/os/i386/kernel-source-2.4.9-e.37.i386.rpm
cfc5e061933e32ece12333502e97bb22 2.1ES/en/os/i686/kernel-2.4.9-e.37.i686.rpm
c3c3578babc860faa895bf6256052140 2.1ES/en/os/i686/kernel-debug-2.4.9-e.37.i686.rpm
0d26a9639bdad7a9e84387ea731156bc 2.1ES/en/os/i686/kernel-smp-2.4.9-e.37.i686.rpm
1ea5a1908a6562967b0595e06bd4bd93 2.1WS/en/os/SRPMS/kernel-2.4.9-e.37.src.rpm
030f252f56b1914712a10882637a791c 2.1WS/en/os/athlon/kernel-2.4.9-e.37.athlon.rpm
1d819b13b87cf66ee7bdae9c4ca0ec77 2.1WS/en/os/athlon/kernel-smp-2.4.9-e.37.athlon.rpm
07204ea9a97d0650ae17607b39e3c410 2.1WS/en/os/i386/kernel-BOOT-2.4.9-e.37.i386.rpm
08f7567fe94f61c7e59072a016757906 2.1WS/en/os/i386/kernel-doc-2.4.9-e.37.i386.rpm
6c76c386fbc5afc0aba21774905845e3 2.1WS/en/os/i386/kernel-headers-2.4.9-e.37.i386.rpm
0c49a0f4868c814b15e1fd60c1adaa78 2.1WS/en/os/i386/kernel-source-2.4.9-e.37.i386.rpm
cfc5e061933e32ece12333502e97bb22 2.1WS/en/os/i686/kernel-2.4.9-e.37.i686.rpm
c3c3578babc860faa895bf6256052140 2.1WS/en/os/i686/kernel-debug-2.4.9-e.37.i686.rpm
2d4959d95a723cb67fa5d3ebe905cee2 2.1WS/en/os/i686/kernel-enterprise-2.4.9-e.37.i686.rpm
0d26a9639bdad7a9e84387ea731156bc 2.1WS/en/os/i686/kernel-smp-2.4.9-e.37.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0003

9. Contact:

The Red Hat security contact is <secalert@xxxxxxxxxx>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAIAfaXlSAg2UNWIIRAhBBAJ4qz7BOqTR83V3zHEsVqJ3FRHvYtACgm9OQ
wQNmbjlsNZpg8hKYsfg9cK8=
=qH37
- - -----END PGP SIGNATURE-----




2.

                     ESB-2004.0088 -- RHSA-2004:056-01
             Updated util-linux packages fix information leak
                             04 February 2004


Product:                util-linux
Publisher:              Red Hat
Operating System:       Red Hat Linux AW 2.1
                        Red Hat Enterprise Linux AS 2.1
                        Red Hat Enterprise Linux WS 2.1
                        Red Hat Enterprise Linux ES 2.1
Platform:               IA-64
                        IA-32
Impact:                 Reduced Security
CVE Names:              CAN-2004-0080

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated util-linux packages fix information leak
Advisory ID:       RHSA-2004:056-01
Issue date:        2004-01-30
Updated on:        2004-02-02
Product:           Red Hat Enterprise Linux
Keywords:          
Cross references:  
Obsoletes:         
CVE Names:         CAN-2004-0080
- - - ---------------------------------------------------------------------

1. Topic:

Updated util-linux packages that fix an information leak in the login
program are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been
freed and reallocated. This could cause unintentional data leakage.

Note: Red Hat Enterprise Linux 3 is not vulnerable to this issue.

It is recommended that all users upgrade to these updated packages, which
are not vulnerable to this issue.

Red Hat would like to thank Matthew Lee of Fleming College for finding and
reporting this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate.  The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

114742 - CAN-2004-0080 "login" information leak

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm

i386:
Available from Red Hat Network: util-linux-2.11f-20.4.i386.rpm

ia64:
Available from Red Hat Network: util-linux-2.11f-20.4.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm

ia64:
Available from Red Hat Network: util-linux-2.11f-20.4.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm

i386:
Available from Red Hat Network: util-linux-2.11f-20.4.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm

i386:
Available from Red Hat Network: util-linux-2.11f-20.4.i386.rpm



7. Verification:

MD5 sum                          Package Name
- - - --------------------------------------------------------------------------

00bd8ff344c54363b75ce441b0a19495 2.1AS/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm
6ce893d86080bbb506116766cbf4348a 2.1AS/en/os/i386/util-linux-2.11f-20.4.i386.rpm
e6cde0a5bd6d89dd8660a3fe83da5a9b 2.1AS/en/os/ia64/util-linux-2.11f-20.4.ia64.rpm
00bd8ff344c54363b75ce441b0a19495 2.1AW/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm
e6cde0a5bd6d89dd8660a3fe83da5a9b 2.1AW/en/os/ia64/util-linux-2.11f-20.4.ia64.rpm
00bd8ff344c54363b75ce441b0a19495 2.1ES/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm
6ce893d86080bbb506116766cbf4348a 2.1ES/en/os/i386/util-linux-2.11f-20.4.i386.rpm
00bd8ff344c54363b75ce441b0a19495 2.1WS/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm
6ce893d86080bbb506116766cbf4348a 2.1WS/en/os/i386/util-linux-2.11f-20.4.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0080

9. Contact:

The Red Hat security contact is <secalert@xxxxxxxxxx>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAH1wVXlSAg2UNWIIRApUMAJ4tYEJn6KrjTuDw1rM1D/Gy++fZgwCfWJKu
WsRQD2p7agOQVK6zTYqaQeU=
=W0Nv
- - -----END PGP SIGNATURE-----




3.
                     ESB-2004.0087 -- RHSA-2004:035-01
         Updated mc packages resolve buffer overflow vulnerability
                             04 February 2004


Product:                mc (Midnight Commander)
Publisher:              Red Hat
Operating System:       Red Hat Enterprise Linux AS 2.1
                        Red Hat Linux AW 2.1
                        Red Hat Enterprise Linux WS 2.1
Platform:               IA-64
                        IA-32
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2003-1023

Ref:                    ESB-2004.0062

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated mc packages resolve buffer overflow vulnerability
Advisory ID:       RHSA-2004:035-01
Issue date:        2004-01-19
Updated on:        0000-04-01
Product:           Red Hat Enterprise Linux
Keywords:          mc buffer overflow vfs
Cross references:  
Obsoletes:         
CVE Names:         CAN-2003-1023
- - - ---------------------------------------------------------------------

1. Topic:

Updated mc packages that resolve a buffer overflow vulnerability are now
available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

Midnight Commander is a visual shell much like a file manager.

A buffer overflow has been found in Midnight Commander's virtual filesystem
code. Specifically, a stack-based buffer overflow in vfs_s_resolve_symlink
of vfs/direntry.c allows remote attackers to execute arbitrary code during
symlink conversion.

Users of Midnight Commander should install these updated packages, which
resolve this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL Certificate 
Errors, you need to install a version of the up2date client with an updated 
certificate.  The latest version of up2date is available from the Red Hat 
FTP site and may also be downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

113850 - CAN-2003-1023 mc stack overflow

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/mc-4.5.51-36.1.src.rpm

i386:
Available from Red Hat Network: gmc-4.5.51-36.1.i386.rpm
Available from Red Hat Network: mc-4.5.51-36.1.i386.rpm
Available from Red Hat Network: mcserv-4.5.51-36.1.i386.rpm

ia64:
Available from Red Hat Network: gmc-4.5.51-36.1.ia64.rpm
Available from Red Hat Network: mc-4.5.51-36.1.ia64.rpm
Available from Red Hat Network: mcserv-4.5.51-36.1.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/mc-4.5.51-36.1.src.rpm

ia64:
Available from Red Hat Network: gmc-4.5.51-36.1.ia64.rpm
Available from Red Hat Network: mc-4.5.51-36.1.ia64.rpm
Available from Red Hat Network: mcserv-4.5.51-36.1.ia64.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/mc-4.5.51-36.1.src.rpm

i386:
Available from Red Hat Network: gmc-4.5.51-36.1.i386.rpm
Available from Red Hat Network: mc-4.5.51-36.1.i386.rpm
Available from Red Hat Network: mcserv-4.5.51-36.1.i386.rpm



7. Verification:

MD5 sum                          Package Name
- - - --------------------------------------------------------------------------

88a12c94a1bde5d99dd77f7ca9650f65 2.1AS/en/os/SRPMS/mc-4.5.51-36.1.src.rpm
52d6955848afb48388faf13ae366220f 2.1AS/en/os/i386/gmc-4.5.51-36.1.i386.rpm
725706e3fe5afe0e42f6f5d3838e0993 2.1AS/en/os/i386/mc-4.5.51-36.1.i386.rpm
4b1555e529ff5f58d74357ecfb313b28 2.1AS/en/os/i386/mcserv-4.5.51-36.1.i386.rpm
4899c0acad932680d365c9e0e41007e1 2.1AS/en/os/ia64/gmc-4.5.51-36.1.ia64.rpm
23690284ac11ff9687499d98c0f4f512 2.1AS/en/os/ia64/mc-4.5.51-36.1.ia64.rpm
580b72c7aabd6fe2be28db01c9dbf673 2.1AS/en/os/ia64/mcserv-4.5.51-36.1.ia64.rpm
88a12c94a1bde5d99dd77f7ca9650f65 2.1AW/en/os/SRPMS/mc-4.5.51-36.1.src.rpm
4899c0acad932680d365c9e0e41007e1 2.1AW/en/os/ia64/gmc-4.5.51-36.1.ia64.rpm
23690284ac11ff9687499d98c0f4f512 2.1AW/en/os/ia64/mc-4.5.51-36.1.ia64.rpm
580b72c7aabd6fe2be28db01c9dbf673 2.1AW/en/os/ia64/mcserv-4.5.51-36.1.ia64.rpm
88a12c94a1bde5d99dd77f7ca9650f65 2.1WS/en/os/SRPMS/mc-4.5.51-36.1.src.rpm
52d6955848afb48388faf13ae366220f 2.1WS/en/os/i386/gmc-4.5.51-36.1.i386.rpm
725706e3fe5afe0e42f6f5d3838e0993 2.1WS/en/os/i386/mc-4.5.51-36.1.i386.rpm
4b1555e529ff5f58d74357ecfb313b28 2.1WS/en/os/i386/mcserv-4.5.51-36.1.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023

9. Contact:

The Red Hat security contact is <secalert@xxxxxxxxxx>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD4DBQFAH1wAXlSAg2UNWIIRAmxpAKCXFt+g7Bawu41UUJKoduiqRIsVbgCUDieM
amUAkQFC973KRdocoOn82A==
=pHC8
- - -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of RedHat for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQCDEfopao72zK539AQE2TAP9G/NTU7ae21vBQ+Oz2z/pkkcbpE3x+F8f
RnOKFPa7TLRoWqfFy03FIQsTsEScWvkLEQpxuAHkRx0roNl7ZRJP5QYkMGiG7R6v
FPSBLAJT2aTbKjJkid4Jbchq6KMCkTO3ZXMyiUf1TW3TF35r087odoTLvlZjS3Vn
3uiw9tGaXBk=
=92Uy
-----END PGP SIGNATURE-----