Docker centos:centos6.8

Vulnerabilities

88 via 88 paths

Dependencies

131

Source

Group 6 Copy Created with Sketch. Docker

Target OS

centos:6
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 54
  • 34
Status
  • 88
  • 0
  • 0

high severity

RHSA-2016:1944

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.1

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. (CVE-2016-2776) Red Hat would like to thank ISC for reporting this issue.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.47.rc1.el6_8.1 or higher.

high severity

RHSA-2016:2093

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.2

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled packets with malformed options. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS packet. (CVE-2016-2848)

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.47.rc1.el6_8.2 or higher.

high severity

RHSA-2016:2141

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.3

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.47.rc1.el6_8.3 or higher.

high severity

RHSA-2017:0063

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.4

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9147) Red Hat would like to thank ISC for reporting this issue.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.47.rc1.el6_8.4 or higher.

high severity

RHSA-2017:1105

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.1

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) * A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3136) Red Hat would like to thank ISC for reporting these issues. Upstream acknowledges Oleg Gorokhov (Yandex) as the original reporter of CVE-2017-3136.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.62.rc1.el6_9.1 or higher.

high severity

RHSA-2017:1202

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.2

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.62.rc1.el6_9.2 or higher.

high severity

RHSA-2017:1679

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.4

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request. (CVE-2017-3143) * A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet. (CVE-2017-3142) Red Hat would like to thank Internet Systems Consortium for reporting these issues. Upstream acknowledges Clement Berthaux (Synacktiv) as the original reporter of these issues. Bug Fix(es): * ICANN is planning to perform a Root Zone DNSSEC Key Signing Key (KSK) rollover during October 2017. Maintaining an up-to-date KSK, by adding the new root zone KSK, is essential for ensuring that validating DNS resolvers continue to function following the rollover. (BZ#1458234)

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.62.rc1.el6_9.4 or higher.

high severity

RHSA-2018:0101

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.5

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make named, acting as a DNSSEC validating resolver, exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3145) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Jayachandran Palanisamy (Cygate AB) as the original reporter.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.62.rc1.el6_9.5 or higher.

high severity

RHSA-2018:2571

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.1

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service (CVE-2018-5740) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) as the original reporter.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.68.rc1.el6_10.1 or higher.

high severity

RHSA-2019:1492

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.3

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.68.rc1.el6_10.3 or higher.

high severity

RHSA-2020:2383

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.7

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: BIND does not sufficiently limit the number of fetches performed when processing referrals (CVE-2020-8616) * bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c (CVE-2020-8617) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.68.rc1.el6_10.7 or higher.

References

high severity

RHSA-2021:0672

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.10

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.68.rc1.el6_10.10 or higher.

References

high severity

RHSA-2021:1468

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.11

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.68.rc1.el6_10.11 or higher.

References

high severity

RHSA-2016:1944

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.1

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. (CVE-2016-2776) Red Hat would like to thank ISC for reporting this issue.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.47.rc1.el6_8.1 or higher.

high severity

RHSA-2016:2093

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.2

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled packets with malformed options. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS packet. (CVE-2016-2848)

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.47.rc1.el6_8.2 or higher.

high severity

RHSA-2016:2141

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.3

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.47.rc1.el6_8.3 or higher.

high severity

RHSA-2017:0063

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.47.rc1.el6_8.4

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9147) Red Hat would like to thank ISC for reporting this issue.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.47.rc1.el6_8.4 or higher.

high severity

RHSA-2017:1105

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.1

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) * A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3136) Red Hat would like to thank ISC for reporting these issues. Upstream acknowledges Oleg Gorokhov (Yandex) as the original reporter of CVE-2017-3136.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.62.rc1.el6_9.1 or higher.

high severity

RHSA-2017:1202

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.2

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3139) Note: This issue affected only the BIND versions as shipped with Red Hat Enterprise Linux 6. This issue did not affect any upstream versions of BIND.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.62.rc1.el6_9.2 or higher.

high severity

RHSA-2017:1679

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.4

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request. (CVE-2017-3143) * A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet. (CVE-2017-3142) Red Hat would like to thank Internet Systems Consortium for reporting these issues. Upstream acknowledges Clement Berthaux (Synacktiv) as the original reporter of these issues. Bug Fix(es): * ICANN is planning to perform a Root Zone DNSSEC Key Signing Key (KSK) rollover during October 2017. Maintaining an up-to-date KSK, by adding the new root zone KSK, is essential for ensuring that validating DNS resolvers continue to function following the rollover. (BZ#1458234)

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.62.rc1.el6_9.4 or higher.

high severity

RHSA-2018:0101

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6_9.5

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make named, acting as a DNSSEC validating resolver, exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3145) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Jayachandran Palanisamy (Cygate AB) as the original reporter.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.62.rc1.el6_9.5 or higher.

high severity

RHSA-2018:2571

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.1

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service (CVE-2018-5740) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) as the original reporter.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.68.rc1.el6_10.1 or higher.

high severity

RHSA-2019:1492

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.3

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.68.rc1.el6_10.3 or higher.

high severity

RHSA-2020:2383

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.7

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: BIND does not sufficiently limit the number of fetches performed when processing referrals (CVE-2020-8616) * bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c (CVE-2020-8617) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.68.rc1.el6_10.7 or higher.

References

high severity

RHSA-2021:0672

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.10

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.68.rc1.el6_10.10 or higher.

References

high severity

RHSA-2021:1468

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.11

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.68.rc1.el6_10.11 or higher.

References

high severity

RHSA-2019:1726

  • Vulnerable module: dbus-libs
  • Introduced through: dbus-libs@1:1.2.24-8.el6_6
  • Fixed in: 1:1.2.24-11.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* dbus-libs@1:1.2.24-8.el6_6

NVD Description

Note: Versions mentioned in the description apply to the upstream dbus-libs package. See Remediation section below for Centos:6 relevant versions.

D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix(es): * dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 dbus-libs to version 1:1.2.24-11.el6_10 or higher.

References

high severity

RHSA-2021:2467

  • Vulnerable module: glib2
  • Introduced through: glib2@2.28.8-5.el6
  • Fixed in: 0:2.28.8-11.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* glib2@2.28.8-5.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Centos:6 relevant versions.

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix(es): * glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 glib2 to version 0:2.28.8-11.el6_10 or higher.

References

high severity

RHSA-2017:1480

  • Vulnerable module: glibc
  • Introduced through: glibc@2.12-1.192.el6
  • Fixed in: 0:2.12-1.209.el6_9.2

Detailed paths

  • Introduced through: centos:centos6.8@* glibc@2.12-1.192.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:6 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366) Red Hat would like to thank Qualys Research Labs for reporting this issue.

Remediation

Upgrade Centos:6 glibc to version 0:2.12-1.209.el6_9.2 or higher.

high severity

RHSA-2017:1480

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.12-1.192.el6
  • Fixed in: 0:2.12-1.209.el6_9.2

Detailed paths

  • Introduced through: centos:centos6.8@* glibc-common@2.12-1.192.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:6 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366) Red Hat would like to thank Qualys Research Labs for reporting this issue.

Remediation

Upgrade Centos:6 glibc-common to version 0:2.12-1.209.el6_9.2 or higher.

high severity

RHSA-2018:2180

  • Vulnerable module: gnupg2
  • Introduced through: gnupg2@2.0.14-8.el6
  • Fixed in: 0:2.0.14-9.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* gnupg2@2.0.14-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream gnupg2 package. See Remediation section below for Centos:6 relevant versions.

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es): * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 gnupg2 to version 0:2.0.14-9.el6_10 or higher.

high severity

RHSA-2019:1652

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.2-2.el6_7.1
  • Fixed in: 0:1.4.2-3.el6_10.1

Detailed paths

  • Introduced through: centos:centos6.8@* libssh2@1.4.2-2.el6_7.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See Remediation section below for Centos:6 relevant versions.

The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix(es): * libssh2: Integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) * libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) * libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) * libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes (CVE-2019-3863) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 libssh2 to version 0:1.4.2-3.el6_10.1 or higher.

References

high severity

RHSA-2016:1292

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.7.6-21.el6
  • Fixed in: 0:2.7.6-21.el6_8.1

Detailed paths

  • Introduced through: centos:centos6.8@* libxml2@2.7.6-21.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Centos:6 relevant versions.

The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the permissions of the user running the application. (CVE-2016-1834, CVE-2016-1840) Multiple denial of service flaws were found in libxml2. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, could cause that application to crash. (CVE-2016-1762, CVE-2016-1833, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449)

Remediation

Upgrade Centos:6 libxml2 to version 0:2.7.6-21.el6_8.1 or higher.

high severity

RHSA-2017:1100

  • Vulnerable module: nss
  • Introduced through: nss@3.21.0-8.el6
  • Fixed in: 0:3.28.4-1.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:6 nss to version 0:3.28.4-1.el6_9 or higher.

high severity

RHSA-2017:1364

  • Vulnerable module: nss
  • Introduced through: nss@3.21.0-8.el6
  • Fixed in: 0:3.28.4-3.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502) Bug Fix(es): * The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1448488)

Remediation

Upgrade Centos:6 nss to version 0:3.28.4-3.el6_9 or higher.

high severity

RHSA-2017:2832

  • Vulnerable module: nss
  • Introduced through: nss@3.21.0-8.el6
  • Fixed in: 0:3.28.4-4.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.

Remediation

Upgrade Centos:6 nss to version 0:3.28.4-4.el6_9 or higher.

high severity

RHSA-2019:4152

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.14.3-23.el6_7
  • Fixed in: 0:3.44.0-6.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-softokn@3.14.3-23.el6_7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Centos:6 relevant versions.

The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 nss-softokn to version 0:3.44.0-6.el6_10 or higher.

References

high severity

RHSA-2019:4152

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.14.3-23.el6_7
  • Fixed in: 0:3.44.0-6.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-softokn-freebl@3.14.3-23.el6_7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Centos:6 relevant versions.

The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 nss-softokn-freebl to version 0:3.44.0-6.el6_10 or higher.

References

high severity

RHSA-2017:1100

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.0-8.el6
  • Fixed in: 0:3.28.4-1.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss-sysinit@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:6 nss-sysinit to version 0:3.28.4-1.el6_9 or higher.

high severity

RHSA-2017:1364

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.0-8.el6
  • Fixed in: 0:3.28.4-3.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss-sysinit@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502) Bug Fix(es): * The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1448488)

Remediation

Upgrade Centos:6 nss-sysinit to version 0:3.28.4-3.el6_9 or higher.

high severity

RHSA-2017:2832

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.0-8.el6
  • Fixed in: 0:3.28.4-4.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss-sysinit@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.

Remediation

Upgrade Centos:6 nss-sysinit to version 0:3.28.4-4.el6_9 or higher.

high severity

RHSA-2017:1100

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.0-8.el6
  • Fixed in: 0:3.28.4-1.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss-tools@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:6 nss-tools to version 0:3.28.4-1.el6_9 or higher.

high severity

RHSA-2017:1364

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.0-8.el6
  • Fixed in: 0:3.28.4-3.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss-tools@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502) Bug Fix(es): * The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1448488)

Remediation

Upgrade Centos:6 nss-tools to version 0:3.28.4-3.el6_9 or higher.

high severity

RHSA-2017:2832

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.0-8.el6
  • Fixed in: 0:3.28.4-4.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss-tools@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.

Remediation

Upgrade Centos:6 nss-tools to version 0:3.28.4-4.el6_9 or higher.

high severity

RHSA-2017:1100

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.21.0-2.el6
  • Fixed in: 0:3.28.4-1.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* nss-util@3.21.0-2.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:6 nss-util to version 0:3.28.4-1.el6_9 or higher.

high severity

RHSA-2016:0996

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1e-48.el6
  • Fixed in: 0:1.0.1e-48.el6_8.1

Detailed paths

  • Introduced through: centos:centos6.8@* openssl@1.0.1e-48.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Centos:6 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Two integer overflow flaws, leading to buffer overflows, were found in the way the EVP_EncodeUpdate() and EVP_EncryptUpdate() functions of OpenSSL parsed very large amounts of input data. A remote attacker could use these flaws to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105, CVE-2016-2106) * It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2016-2107) * Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application. (CVE-2016-0799, CVE-2016-2842) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-0799. Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, and CVE-2016-0799; and Juraj Somorovsky as the original reporter of CVE-2016-2107.

Remediation

Upgrade Centos:6 openssl to version 0:1.0.1e-48.el6_8.1 or higher.

high severity

RHSA-2016:1940

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1e-48.el6
  • Fixed in: 0:1.0.1e-48.el6_8.3

Detailed paths

  • Introduced through: centos:centos6.8@* openssl@1.0.1e-48.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Centos:6 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304) * It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system. (CVE-2016-2178) * It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory. (CVE-2016-2179) * A flaw was found in the Datagram TLS (DTLS) replay protection implementation in OpenSSL. A remote attacker could possibly use this flaw to make a DTLS server using OpenSSL to reject further packets sent from a DTLS client over an established DTLS connection. (CVE-2016-2181) * An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code. (CVE-2016-2182) * A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default. * An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets. (CVE-2016-6302) * Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177) * An out of bounds read flaw was found in the way OpenSSL formatted Public Key Infrastructure Time-Stamp Protocol data for printing. An attacker could possibly cause an application using OpenSSL to crash if it printed time stamp data from the attacker. (CVE-2016-2180) * Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL. (CVE-2016-6306) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and CVE-2016-6306 and OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304 and CVE-2016-6306; and Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.

Remediation

Upgrade Centos:6 openssl to version 0:1.0.1e-48.el6_8.3 or higher.

high severity

RHSA-2021:0056

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1e-48.el6
  • Fixed in: 0:1.0.1e-59.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* openssl@1.0.1e-48.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Centos:6 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 openssl to version 0:1.0.1e-59.el6_10 or higher.

References

high severity

RHSA-2018:1777

  • Vulnerable module: procps
  • Introduced through: procps@3.2.8-36.el6
  • Fixed in: 0:3.2.8-45.el6_9.3

Detailed paths

  • Introduced through: centos:centos6.8@* procps@3.2.8-36.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream procps package. See Remediation section below for Centos:6 relevant versions.

The procps packages contain a set of system utilities that provide system information. The procps packages include the following utilities: ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, pwdx, sysctl, pmap, and slabtop. Security Fix(es): * procps-ng, procps: Integer overflows leading to heap overflow in file2strvec (CVE-2018-1124) * procps-ng, procps: incorrect integer size in proc/alloc.* leading to truncation / integer overflow issues (CVE-2018-1126) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Qualys Research Labs for reporting these issues.

Remediation

Upgrade Centos:6 procps to version 0:3.2.8-45.el6_9.3 or higher.

high severity

RHSA-2019:1467

  • Vulnerable module: python
  • Introduced through: python@2.6.6-64.el6
  • Fixed in: 0:2.6.6-68.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* python@2.6.6-64.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:6 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 python to version 0:2.6.6-68.el6_10 or higher.

high severity

RHSA-2019:1467

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.6.6-64.el6
  • Fixed in: 0:2.6.6-68.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* python-libs@2.6.6-64.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:6 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 python-libs to version 0:2.6.6-68.el6_10 or higher.

high severity

RHSA-2019:1774

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:7.4.629-5.el6
  • Fixed in: 2:7.4.629-5.el6_10.2

Detailed paths

  • Introduced through: centos:centos6.8@* vim-minimal@2:7.4.629-5.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream vim-minimal package. See Remediation section below for Centos:6 relevant versions.

Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * vim/neovim: ':source!' command allows arbitrary command execution via modelines (CVE-2019-12735) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 vim-minimal to version 2:7.4.629-5.el6_10.2 or higher.

References

high severity

RHSA-2018:2284

  • Vulnerable module: yum-plugin-fastestmirror
  • Introduced through: yum-plugin-fastestmirror@1.1.30-37.el6
  • Fixed in: 0:1.1.30-42.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* yum-plugin-fastestmirror@1.1.30-37.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream yum-plugin-fastestmirror package. See Remediation section below for Centos:6 relevant versions.

The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix(es): * yum-utils: reposync: improper path validation may lead to directory traversal (CVE-2018-10897) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Jay Grizzard (Clover Network) and Aaron Levy (Clover Network) for reporting this issue.

Remediation

Upgrade Centos:6 yum-plugin-fastestmirror to version 0:1.1.30-42.el6_10 or higher.

high severity

RHSA-2018:2284

  • Vulnerable module: yum-plugin-ovl
  • Introduced through: yum-plugin-ovl@1.1.30-37.el6
  • Fixed in: 0:1.1.30-42.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* yum-plugin-ovl@1.1.30-37.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream yum-plugin-ovl package. See Remediation section below for Centos:6 relevant versions.

The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix(es): * yum-utils: reposync: improper path validation may lead to directory traversal (CVE-2018-10897) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Jay Grizzard (Clover Network) and Aaron Levy (Clover Network) for reporting this issue.

Remediation

Upgrade Centos:6 yum-plugin-ovl to version 0:1.1.30-42.el6_10 or higher.

medium severity

RHSA-2017:0725

  • Vulnerable module: bash
  • Introduced through: bash@4.1.2-40.el6
  • Fixed in: 0:4.1.2-48.el6

Detailed paths

  • Introduced through: centos:centos6.8@* bash@4.1.2-40.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bash package. See Remediation section below for Centos:6 relevant versions.

The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es): * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

Remediation

Upgrade Centos:6 bash to version 0:4.1.2-48.el6 or higher.

medium severity

RHBA-2017:0651

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section. Users of bind are advised to upgrade to these updated packages.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.62.rc1.el6 or higher.

References

medium severity

RHSA-2020:4183

  • Vulnerable module: bind-libs
  • Introduced through: bind-libs@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.8

Detailed paths

  • Introduced through: centos:centos6.8@* bind-libs@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-libs package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: truncated TSIG response can lead to an assertion failure (CVE-2020-8622) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-libs to version 32:9.8.2-0.68.rc1.el6_10.8 or higher.

References

medium severity

RHBA-2017:0651

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.62.rc1.el6

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section. Users of bind are advised to upgrade to these updated packages.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.62.rc1.el6 or higher.

References

medium severity

RHSA-2020:4183

  • Vulnerable module: bind-utils
  • Introduced through: bind-utils@32:9.8.2-0.47.rc1.el6
  • Fixed in: 32:9.8.2-0.68.rc1.el6_10.8

Detailed paths

  • Introduced through: centos:centos6.8@* bind-utils@32:9.8.2-0.47.rc1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-utils package. See Remediation section below for Centos:6 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: truncated TSIG response can lead to an assertion failure (CVE-2020-8622) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 bind-utils to version 32:9.8.2-0.68.rc1.el6_10.8 or higher.

References

medium severity

RHSA-2017:0654

  • Vulnerable module: coreutils
  • Introduced through: coreutils@8.4-43.el6
  • Fixed in: 0:8.4-46.el6

Detailed paths

  • Introduced through: centos:centos6.8@* coreutils@8.4-43.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream coreutils package. See Remediation section below for Centos:6 relevant versions.

The coreutils packages contain the GNU Core Utilities and represent a combination of the previously used GNU fileutils, sh-utils, and textutils packages. Security Fix(es): * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616) Red Hat would like to thank Tobias Stöckmann for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

Remediation

Upgrade Centos:6 coreutils to version 0:8.4-46.el6 or higher.

medium severity

RHSA-2017:0654

  • Vulnerable module: coreutils-libs
  • Introduced through: coreutils-libs@8.4-43.el6
  • Fixed in: 0:8.4-46.el6

Detailed paths

  • Introduced through: centos:centos6.8@* coreutils-libs@8.4-43.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream coreutils-libs package. See Remediation section below for Centos:6 relevant versions.

The coreutils packages contain the GNU Core Utilities and represent a combination of the previously used GNU fileutils, sh-utils, and textutils packages. Security Fix(es): * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616) Red Hat would like to thank Tobias Stöckmann for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

Remediation

Upgrade Centos:6 coreutils-libs to version 0:8.4-46.el6 or higher.

medium severity

RHSA-2017:0847

  • Vulnerable module: curl
  • Introduced through: curl@7.19.7-52.el6
  • Fixed in: 0:7.19.7-53.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* curl@7.19.7-52.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:6 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) This issue was discovered by Paulo Andrade (Red Hat).

Remediation

Upgrade Centos:6 curl to version 0:7.19.7-53.el6_9 or higher.

medium severity

RHSA-2016:2824

  • Vulnerable module: expat
  • Introduced through: expat@2.0.1-11.el6_2
  • Fixed in: 0:2.0.1-13.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* expat@2.0.1-11.el6_2

NVD Description

Note: Versions mentioned in the description apply to the upstream expat package. See Remediation section below for Centos:6 relevant versions.

Expat is a C library for parsing XML documents. Security Fix(es): * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-0718) Red Hat would like to thank Gustavo Grieco for reporting this issue.

Remediation

Upgrade Centos:6 expat to version 0:2.0.1-13.el6_8 or higher.

medium severity

RHSA-2017:0680

  • Vulnerable module: glibc
  • Introduced through: glibc@2.12-1.192.el6
  • Fixed in: 0:2.12-1.209.el6

Detailed paths

  • Introduced through: centos:centos6.8@* glibc@2.12-1.192.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:6 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A stack overflow vulnerability was found in nan* functions that could cause applications, which process long strings with the nan function, to crash or, potentially, execute arbitrary code. (CVE-2014-9761) * It was found that out-of-range time values passed to the strftime() function could result in an out-of-bounds memory access. This could lead to application crash or, potentially, information disclosure. (CVE-2015-8776) * An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution. (CVE-2015-8778) * A stack based buffer overflow vulnerability was found in the catopen() function. An excessively long string passed to the function could cause it to crash or, potentially, execute arbitrary code. (CVE-2015-8779) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

Remediation

Upgrade Centos:6 glibc to version 0:2.12-1.209.el6 or higher.

medium severity

RHSA-2018:1879

  • Vulnerable module: glibc
  • Introduced through: glibc@2.12-1.192.el6
  • Fixed in: 0:2.12-1.212.el6

Detailed paths

  • Introduced through: centos:centos6.8@* glibc@2.12-1.192.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:6 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.

Remediation

Upgrade Centos:6 glibc to version 0:2.12-1.212.el6 or higher.

medium severity

RHSA-2017:0680

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.12-1.192.el6
  • Fixed in: 0:2.12-1.209.el6

Detailed paths

  • Introduced through: centos:centos6.8@* glibc-common@2.12-1.192.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:6 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A stack overflow vulnerability was found in nan* functions that could cause applications, which process long strings with the nan function, to crash or, potentially, execute arbitrary code. (CVE-2014-9761) * It was found that out-of-range time values passed to the strftime() function could result in an out-of-bounds memory access. This could lead to application crash or, potentially, information disclosure. (CVE-2015-8776) * An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution. (CVE-2015-8778) * A stack based buffer overflow vulnerability was found in the catopen() function. An excessively long string passed to the function could cause it to crash or, potentially, execute arbitrary code. (CVE-2015-8779) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

Remediation

Upgrade Centos:6 glibc-common to version 0:2.12-1.209.el6 or higher.

medium severity

RHSA-2018:1879

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.12-1.192.el6
  • Fixed in: 0:2.12-1.212.el6

Detailed paths

  • Introduced through: centos:centos6.8@* glibc-common@2.12-1.192.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:6 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.

Remediation

Upgrade Centos:6 glibc-common to version 0:2.12-1.212.el6 or higher.

medium severity

RHSA-2017:0847

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.19.7-52.el6
  • Fixed in: 0:7.19.7-53.el6_9

Detailed paths

  • Introduced through: centos:centos6.8@* libcurl@7.19.7-52.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:6 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) This issue was discovered by Paulo Andrade (Red Hat).

Remediation

Upgrade Centos:6 libcurl to version 0:7.19.7-53.el6_9 or higher.

medium severity

RHSA-2016:2674

  • Vulnerable module: libgcrypt
  • Introduced through: libgcrypt@1.4.5-11.el6_4
  • Fixed in: 0:1.4.5-12.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* libgcrypt@1.4.5-11.el6_4

NVD Description

Note: Versions mentioned in the description apply to the upstream libgcrypt package. See Remediation section below for Centos:6 relevant versions.

The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. Security Fix(es): * A design flaw was found in the libgcrypt PRNG (Pseudo-Random Number Generator). An attacker able to obtain the first 580 bytes of the PRNG output could predict the following 20 bytes. (CVE-2016-6313) Red Hat would like to thank Felix Dörre and Vladimir Klebanov for reporting this issue.

Remediation

Upgrade Centos:6 libgcrypt to version 0:1.4.5-12.el6_8 or higher.

medium severity

RHEA-2019:3280

  • Vulnerable module: nspr
  • Introduced through: nspr@4.11.0-1.el6
  • Fixed in: 0:4.21.0-1.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nspr@4.11.0-1.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nspr package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The nss, nss-softokn and nss-util packages have been upgraded to upstream versions 3.44, and the nspr packages have been upgraded to upstream version 4.21. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 68 Extended Support Release. (BZ#1684609, BZ#1743623, BZ#1743625, BZ#1743628)

Remediation

Upgrade Centos:6 nspr to version 0:4.21.0-1.el6_10 or higher.

References

medium severity

RHEA-2019:3280

  • Vulnerable module: nss
  • Introduced through: nss@3.21.0-8.el6
  • Fixed in: 0:3.44.0-7.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The nss, nss-softokn and nss-util packages have been upgraded to upstream versions 3.44, and the nspr packages have been upgraded to upstream version 4.21. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 68 Extended Support Release. (BZ#1684609, BZ#1743623, BZ#1743625, BZ#1743628)

Remediation

Upgrade Centos:6 nss to version 0:3.44.0-7.el6_10 or higher.

References

medium severity

RHSA-2016:2779

  • Vulnerable module: nss
  • Introduced through: nss@3.21.0-8.el6
  • Fixed in: 0:3.21.3-2.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* nss@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.21.3), nss-util (3.21.3). Security Fix(es): * Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834) * A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285) * It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635) Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834.

Remediation

Upgrade Centos:6 nss to version 0:3.21.3-2.el6_8 or higher.

medium severity

RHSA-2018:2898

  • Vulnerable module: nss
  • Introduced through: nss@3.21.0-8.el6
  • Fixed in: 0:3.36.0-9.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello (CVE-2018-12384) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Mozilla project for reporting this issue.

Remediation

Upgrade Centos:6 nss to version 0:3.36.0-9.el6_10 or higher.

medium severity

RHEA-2019:3280

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.14.3-23.el6_7
  • Fixed in: 0:3.44.0-5.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-softokn@3.14.3-23.el6_7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The nss, nss-softokn and nss-util packages have been upgraded to upstream versions 3.44, and the nspr packages have been upgraded to upstream version 4.21. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 68 Extended Support Release. (BZ#1684609, BZ#1743623, BZ#1743625, BZ#1743628)

Remediation

Upgrade Centos:6 nss-softokn to version 0:3.44.0-5.el6_10 or higher.

References

medium severity

RHEA-2019:3280

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.14.3-23.el6_7
  • Fixed in: 0:3.44.0-5.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-softokn-freebl@3.14.3-23.el6_7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The nss, nss-softokn and nss-util packages have been upgraded to upstream versions 3.44, and the nspr packages have been upgraded to upstream version 4.21. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 68 Extended Support Release. (BZ#1684609, BZ#1743623, BZ#1743625, BZ#1743628)

Remediation

Upgrade Centos:6 nss-softokn-freebl to version 0:3.44.0-5.el6_10 or higher.

References

medium severity

RHEA-2019:3280

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.0-8.el6
  • Fixed in: 0:3.44.0-7.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-sysinit@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The nss, nss-softokn and nss-util packages have been upgraded to upstream versions 3.44, and the nspr packages have been upgraded to upstream version 4.21. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 68 Extended Support Release. (BZ#1684609, BZ#1743623, BZ#1743625, BZ#1743628)

Remediation

Upgrade Centos:6 nss-sysinit to version 0:3.44.0-7.el6_10 or higher.

References

medium severity

RHSA-2016:2779

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.0-8.el6
  • Fixed in: 0:3.21.3-2.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* nss-sysinit@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.21.3), nss-util (3.21.3). Security Fix(es): * Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834) * A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285) * It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635) Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834.

Remediation

Upgrade Centos:6 nss-sysinit to version 0:3.21.3-2.el6_8 or higher.

medium severity

RHSA-2018:2898

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.0-8.el6
  • Fixed in: 0:3.36.0-9.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-sysinit@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello (CVE-2018-12384) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Mozilla project for reporting this issue.

Remediation

Upgrade Centos:6 nss-sysinit to version 0:3.36.0-9.el6_10 or higher.

medium severity

RHEA-2019:3280

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.0-8.el6
  • Fixed in: 0:3.44.0-7.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-tools@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The nss, nss-softokn and nss-util packages have been upgraded to upstream versions 3.44, and the nspr packages have been upgraded to upstream version 4.21. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 68 Extended Support Release. (BZ#1684609, BZ#1743623, BZ#1743625, BZ#1743628)

Remediation

Upgrade Centos:6 nss-tools to version 0:3.44.0-7.el6_10 or higher.

References

medium severity

RHSA-2016:2779

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.0-8.el6
  • Fixed in: 0:3.21.3-2.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* nss-tools@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.21.3), nss-util (3.21.3). Security Fix(es): * Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834) * A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285) * It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635) Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834.

Remediation

Upgrade Centos:6 nss-tools to version 0:3.21.3-2.el6_8 or higher.

medium severity

RHSA-2018:2898

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.0-8.el6
  • Fixed in: 0:3.36.0-9.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-tools@3.21.0-8.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello (CVE-2018-12384) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Mozilla project for reporting this issue.

Remediation

Upgrade Centos:6 nss-tools to version 0:3.36.0-9.el6_10 or higher.

medium severity

RHEA-2019:3280

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.21.0-2.el6
  • Fixed in: 0:3.44.0-1.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* nss-util@3.21.0-2.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The nss, nss-softokn and nss-util packages have been upgraded to upstream versions 3.44, and the nspr packages have been upgraded to upstream version 4.21. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 68 Extended Support Release. (BZ#1684609, BZ#1743623, BZ#1743625, BZ#1743628)

Remediation

Upgrade Centos:6 nss-util to version 0:3.44.0-1.el6_10 or higher.

References

medium severity

RHSA-2016:2779

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.21.0-2.el6
  • Fixed in: 0:3.21.3-1.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* nss-util@3.21.0-2.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Centos:6 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.21.3), nss-util (3.21.3). Security Fix(es): * Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834) * A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285) * It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635) Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834.

Remediation

Upgrade Centos:6 nss-util to version 0:3.21.3-1.el6_8 or higher.

medium severity

RHSA-2017:0286

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1e-48.el6
  • Fixed in: 0:1.0.1e-48.el6_8.4

Detailed paths

  • Introduced through: centos:centos6.8@* openssl@1.0.1e-48.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Centos:6 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite. (CVE-2017-3731) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)

Remediation

Upgrade Centos:6 openssl to version 0:1.0.1e-48.el6_8.4 or higher.

medium severity

RHSA-2019:2471

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1e-48.el6
  • Fixed in: 0:1.0.1e-58.el6_10

Detailed paths

  • Introduced through: centos:centos6.8@* openssl@1.0.1e-48.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Centos:6 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: 0-byte record padding oracle (CVE-2019-1559) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:6 openssl to version 0:1.0.1e-58.el6_10 or higher.

References

medium severity

RHSA-2016:1626

  • Vulnerable module: python
  • Introduced through: python@2.6.6-64.el6
  • Fixed in: 0:2.6.6-66.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* python@2.6.6-64.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:6 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000110) * It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer. (CVE-2016-0772) * It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values. (CVE-2016-5699) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110.

Remediation

Upgrade Centos:6 python to version 0:2.6.6-66.el6_8 or higher.

medium severity

RHSA-2016:1626

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.6.6-64.el6
  • Fixed in: 0:2.6.6-66.el6_8

Detailed paths

  • Introduced through: centos:centos6.8@* python-libs@2.6.6-64.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:6 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000110) * It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer. (CVE-2016-0772) * It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values. (CVE-2016-5699) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110.

Remediation

Upgrade Centos:6 python-libs to version 0:2.6.6-66.el6_8 or higher.

medium severity

RHSA-2016:2972

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:7.4.629-5.el6
  • Fixed in: 2:7.4.629-5.el6_8.1

Detailed paths

  • Introduced through: centos:centos6.8@* vim-minimal@2:7.4.629-5.el6

NVD Description

Note: Versions mentioned in the description apply to the upstream vim-minimal package. See Remediation section below for Centos:6 relevant versions.

Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * A vulnerability was found in vim in how certain modeline options were treated. An attacker could craft a file that, when opened in vim with modelines enabled, could execute arbitrary commands with privileges of the user running vim. (CVE-2016-1248)

Remediation

Upgrade Centos:6 vim-minimal to version 2:7.4.629-5.el6_8.1 or higher.