CERT RENATER
Nous contacter
- Mail : cert@support.renater.fr
- Web : Pages du CERT
- Tél : 01.53.94.20.44
- Fax : 01.53.94.20.31
==================================================================== CERT-Renater Note d'Information No. 2007/VULN416 _____________________________________________________________________ DATE : 06/11/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running pcre packages. ====================================================================== https://rhn.redhat.com/errata/RHSA-2007-0967.html https://rhn.redhat.com/errata/RHSA-2007-0968.html ______________________________________________________________________ - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Critical: pcre security update Advisory ID: RHSA-2007:0967-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0967.html Issue date: 2007-11-05 Updated on: 2007-11-05 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-1659 CVE-2007-1660 - - --------------------------------------------------------------------- 1. Summary: Updated pcre packages that correct two security flaws are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Problem description: PCRE is a Perl-compatible regular expression library. Multiple flaws were found in the way pcre handles certain malformed regular expressions. If an application linked against pcre, such as Konqueror, parses a malicious regular expression, it may be possible to run arbitrary code as the user running the application. (CVE-2007-1659, CVE-2007-1660) Users of pcre are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Red Hat would like to thank Tavis Ormandy and Will Drewry for properly disclosing these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 315871 - CVE-2007-1659 pcre regular expression flaws 315881 - CVE-2007-1660 pcre regular expression flaws 6. RPMs required: Red Hat Enterprise Linux Desktop (v. 5 client): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pcre-6.6-2.el5_0.1.src.rpm 37b0c60c16fb136bd5f47082c42a399f pcre-6.6-2.el5_0.1.src.rpm i386: 1e0fe12062836b8838d902f6f13005c4 pcre-6.6-2.el5_0.1.i386.rpm 0c6be04f491c5738e28ca227cd083c44 pcre-debuginfo-6.6-2.el5_0.1.i386.rpm x86_64: 1e0fe12062836b8838d902f6f13005c4 pcre-6.6-2.el5_0.1.i386.rpm 73869b659e16a5c0c4738780b8dbf54a pcre-6.6-2.el5_0.1.x86_64.rpm 0c6be04f491c5738e28ca227cd083c44 pcre-debuginfo-6.6-2.el5_0.1.i386.rpm 9fe6268f7f099d309a198dbc073484c5 pcre-debuginfo-6.6-2.el5_0.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pcre-6.6-2.el5_0.1.src.rpm 37b0c60c16fb136bd5f47082c42a399f pcre-6.6-2.el5_0.1.src.rpm i386: 0c6be04f491c5738e28ca227cd083c44 pcre-debuginfo-6.6-2.el5_0.1.i386.rpm 55180d96fa4e1b20fcdd580b13c94e76 pcre-devel-6.6-2.el5_0.1.i386.rpm x86_64: 0c6be04f491c5738e28ca227cd083c44 pcre-debuginfo-6.6-2.el5_0.1.i386.rpm 9fe6268f7f099d309a198dbc073484c5 pcre-debuginfo-6.6-2.el5_0.1.x86_64.rpm 55180d96fa4e1b20fcdd580b13c94e76 pcre-devel-6.6-2.el5_0.1.i386.rpm f60b3e0576aeee879d13906ab55519da pcre-devel-6.6-2.el5_0.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/pcre-6.6-2.el5_0.1.src.rpm 37b0c60c16fb136bd5f47082c42a399f pcre-6.6-2.el5_0.1.src.rpm i386: 1e0fe12062836b8838d902f6f13005c4 pcre-6.6-2.el5_0.1.i386.rpm 0c6be04f491c5738e28ca227cd083c44 pcre-debuginfo-6.6-2.el5_0.1.i386.rpm 55180d96fa4e1b20fcdd580b13c94e76 pcre-devel-6.6-2.el5_0.1.i386.rpm ia64: ef36cfa42ba674ffe2c7201dfb112b59 pcre-6.6-2.el5_0.1.ia64.rpm 64e720230c68a59e962a7bd990c75ccb pcre-debuginfo-6.6-2.el5_0.1.ia64.rpm f0a778987dd0c57bcfe3e763b6395ea7 pcre-devel-6.6-2.el5_0.1.ia64.rpm ppc: a25c490d1f71d860ad5eb772046dbed0 pcre-6.6-2.el5_0.1.ppc.rpm ed682d10ccf7b2482c7039d14f0df04b pcre-6.6-2.el5_0.1.ppc64.rpm 5f66a6d45be57f9207583c3b9e2c554d pcre-debuginfo-6.6-2.el5_0.1.ppc.rpm b53659c8438861bbf715099f22483866 pcre-debuginfo-6.6-2.el5_0.1.ppc64.rpm 967f41898c49b310dcf607729dafff69 pcre-devel-6.6-2.el5_0.1.ppc.rpm 822c7a5c264314d84e70e41353dec898 pcre-devel-6.6-2.el5_0.1.ppc64.rpm s390x: 6190ac263d58d9160457be33764c0bc4 pcre-6.6-2.el5_0.1.s390.rpm a41b40a90da5af04c9ed0a713c7b0ee1 pcre-6.6-2.el5_0.1.s390x.rpm b90a30e868ad358a65d56f151efe590c pcre-debuginfo-6.6-2.el5_0.1.s390.rpm b43a4377d755027344bc84fa24b9de54 pcre-debuginfo-6.6-2.el5_0.1.s390x.rpm f39f311df66ee2a124b7d1ccc482ad08 pcre-devel-6.6-2.el5_0.1.s390.rpm 600e150dfa622a3ca5737223cfbe3eed pcre-devel-6.6-2.el5_0.1.s390x.rpm x86_64: 1e0fe12062836b8838d902f6f13005c4 pcre-6.6-2.el5_0.1.i386.rpm 73869b659e16a5c0c4738780b8dbf54a pcre-6.6-2.el5_0.1.x86_64.rpm 0c6be04f491c5738e28ca227cd083c44 pcre-debuginfo-6.6-2.el5_0.1.i386.rpm 9fe6268f7f099d309a198dbc073484c5 pcre-debuginfo-6.6-2.el5_0.1.x86_64.rpm 55180d96fa4e1b20fcdd580b13c94e76 pcre-devel-6.6-2.el5_0.1.i386.rpm f60b3e0576aeee879d13906ab55519da pcre-devel-6.6-2.el5_0.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHL0gtXlSAg2UNWIIRAq1vAJ0RumhaQH7yQSjFp1bLxYooQ4G/SQCeIubd 7cbVnQUGwH2y6fUhTKek+Hs= óke - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Critical: pcre security update Advisory ID: RHSA-2007:0968-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0968.html Issue date: 2007-11-05 Updated on: 2007-11-05 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-1660 - - --------------------------------------------------------------------- 1. Summary: Updated pcre packages that correct two security flaws are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: PCRE is a Perl-compatible regular expression library. Multiple flaws were found in the way pcre handles certain malformed regular expressions. If an application linked against pcre, such as Konqueror, parses a malicious regular expression, it may be possible to run arbitrary code as the user running the application. (CVE-2007-1660) Users of pcre are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Red Hat would like to thank Tavis Ormandy and Will Drewry for properly disclosing these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 315881 - CVE-2007-1660 pcre regular expression flaws 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/pcre-4.5-4.el4_5.1.src.rpm d2bf1a695fbb25449e583dcdf1c2adc3 pcre-4.5-4.el4_5.1.src.rpm i386: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 25e5f95b21f055328b7f223b82682c18 pcre-devel-4.5-4.el4_5.1.i386.rpm ia64: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 09735dc1d899a27490fbaefbf801e453 pcre-4.5-4.el4_5.1.ia64.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm b9fd1bfce2d9c0761b0610ddde2c1607 pcre-debuginfo-4.5-4.el4_5.1.ia64.rpm 3e3c83e3a8c1b28b1d5d5a3e2efbf8f0 pcre-devel-4.5-4.el4_5.1.ia64.rpm ppc: 39ceb7698118cfb31004434f6ce39e2f pcre-4.5-4.el4_5.1.ppc.rpm 7a66762a3067ff36eb141d50e2f178c2 pcre-4.5-4.el4_5.1.ppc64.rpm 9db9c301f7ec374a635ec959b4446510 pcre-debuginfo-4.5-4.el4_5.1.ppc.rpm 1ddcaf1d63b2ad06ba199867e910c3f6 pcre-debuginfo-4.5-4.el4_5.1.ppc64.rpm 27c02138dc61651befd584d7564e87c1 pcre-devel-4.5-4.el4_5.1.ppc.rpm s390: d29fff61e69fc677350e8dce17f6dc2d pcre-4.5-4.el4_5.1.s390.rpm 6e4505ff2cab4ef9623efba1301bb291 pcre-debuginfo-4.5-4.el4_5.1.s390.rpm f17dc61991ff18330387a01022878cd1 pcre-devel-4.5-4.el4_5.1.s390.rpm s390x: d29fff61e69fc677350e8dce17f6dc2d pcre-4.5-4.el4_5.1.s390.rpm 233bf6ee5aab5c1394589b35e0a240ac pcre-4.5-4.el4_5.1.s390x.rpm 6e4505ff2cab4ef9623efba1301bb291 pcre-debuginfo-4.5-4.el4_5.1.s390.rpm 4b712a174827d3aa67cfaf73ab583114 pcre-debuginfo-4.5-4.el4_5.1.s390x.rpm 43b1cdaf5aba84efc34b6219a411e1c8 pcre-devel-4.5-4.el4_5.1.s390x.rpm x86_64: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 96c23c6f94616735252c926308bd5037 pcre-4.5-4.el4_5.1.x86_64.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 8495cf879c626cb9e9d661cc472ebb0a pcre-debuginfo-4.5-4.el4_5.1.x86_64.rpm 91ace1c63dd58660bd06673252f992d7 pcre-devel-4.5-4.el4_5.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/pcre-4.5-4.el4_5.1.src.rpm d2bf1a695fbb25449e583dcdf1c2adc3 pcre-4.5-4.el4_5.1.src.rpm i386: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 25e5f95b21f055328b7f223b82682c18 pcre-devel-4.5-4.el4_5.1.i386.rpm x86_64: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 96c23c6f94616735252c926308bd5037 pcre-4.5-4.el4_5.1.x86_64.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 8495cf879c626cb9e9d661cc472ebb0a pcre-debuginfo-4.5-4.el4_5.1.x86_64.rpm 91ace1c63dd58660bd06673252f992d7 pcre-devel-4.5-4.el4_5.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/pcre-4.5-4.el4_5.1.src.rpm d2bf1a695fbb25449e583dcdf1c2adc3 pcre-4.5-4.el4_5.1.src.rpm i386: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 25e5f95b21f055328b7f223b82682c18 pcre-devel-4.5-4.el4_5.1.i386.rpm ia64: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 09735dc1d899a27490fbaefbf801e453 pcre-4.5-4.el4_5.1.ia64.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm b9fd1bfce2d9c0761b0610ddde2c1607 pcre-debuginfo-4.5-4.el4_5.1.ia64.rpm 3e3c83e3a8c1b28b1d5d5a3e2efbf8f0 pcre-devel-4.5-4.el4_5.1.ia64.rpm x86_64: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 96c23c6f94616735252c926308bd5037 pcre-4.5-4.el4_5.1.x86_64.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 8495cf879c626cb9e9d661cc472ebb0a pcre-debuginfo-4.5-4.el4_5.1.x86_64.rpm 91ace1c63dd58660bd06673252f992d7 pcre-devel-4.5-4.el4_5.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/pcre-4.5-4.el4_5.1.src.rpm d2bf1a695fbb25449e583dcdf1c2adc3 pcre-4.5-4.el4_5.1.src.rpm i386: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 25e5f95b21f055328b7f223b82682c18 pcre-devel-4.5-4.el4_5.1.i386.rpm ia64: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 09735dc1d899a27490fbaefbf801e453 pcre-4.5-4.el4_5.1.ia64.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm b9fd1bfce2d9c0761b0610ddde2c1607 pcre-debuginfo-4.5-4.el4_5.1.ia64.rpm 3e3c83e3a8c1b28b1d5d5a3e2efbf8f0 pcre-devel-4.5-4.el4_5.1.ia64.rpm x86_64: 170f0f43d5605415c654ccbec4272b76 pcre-4.5-4.el4_5.1.i386.rpm 96c23c6f94616735252c926308bd5037 pcre-4.5-4.el4_5.1.x86_64.rpm 32650c48544f61597d23051c343419a9 pcre-debuginfo-4.5-4.el4_5.1.i386.rpm 8495cf879c626cb9e9d661cc472ebb0a pcre-debuginfo-4.5-4.el4_5.1.x86_64.rpm 91ace1c63dd58660bd06673252f992d7 pcre-devel-4.5-4.el4_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================