Home Tags APV

Tag: APV

Red Hat OpenShift Enterprise release 2.2.11 is now available with updatedpackages that fix several bugs and add various enhancements. OpenShift Enterprise by Red Hat is the company's cloud computingPlatform-as-a-Service (PaaS) solution designed for on-premise orprivate cloud deployments.This update fixes the following bugs:* The routing daemon (RD) can now be configured with multiple F5 BIG-IP hosts.During F5 configurations, the RD tries to connect to the first configured host.If it fails, it retries each successive host until it connects to a host orexhausts its host list.

The RD now correctly sends a NACK response to ActiveMQwhen operations fail.

ActiveMQ redelivers the message, causing the RD to retry.The RD's communication with ActiveMQ, logging of errors, and handling of errorresponses from F5 BIG-IP improved.

This enables the RD to continue operationwith the F5 BIG-IP cluster even if the RD loses contact with the cluster,improving the RD's behavior when multiple instances are run in a clusteredconfiguration.

The RD is more resilient against losing contact with individualF5 BIG-IP hosts in a cluster of F5 BIG-IP hosts and functions better when run ina clustered configuration.

The RD elicits fewer error responses from F5 BIG-IPand provides better logs, making error diagnosis easier. (BZ#1227472)* Users can now allow the provided database connection helper functions mysql(),psql(), and mongo() to be overwritten.

This allows users to overwrite the helperfunctions to easily connect to external databases. Users can now define mysql(),psql(), and mongo() functions in their $OPENSHIFT_DATA_DIR/.bash_profile, whichcan be used within an SSH connection to a gear. (BZ#1258033)* HAProxy cookies were inconsistently named. Requests to an HA application werenot always being routed to the correct gear.

This fix changes the cookie naminglogic so that the cookie name reflects which back-end gear is handling therequest.

As a result, all back-end HAProxy gears should now return the samecookie name and the requests should be properly routed to the correct back-endgear. (BZ#1377433)* EWS Tomcat 7 can now be configured on nodes to use either EWS 2 or EWS 3channels, allowing an administrator an option of what EWS version the EWS 2cartridge deploys.

This option was enabled to allow administrators to takeadvantage of the EWS 3 lifecycle and security or bug updates that it receivescompared to the maintenance lifecycle that EWS 2 is currently receiving.Administrators have options or can mix and match EWS versions (with nodeprofiles) on what Tomcat version is installed when an EWS 2 cartridge iscreated. (BZ#1394328)* The new version of PIP (7.1.0) no longer accepted insecure (HTTP) mirrors.Also, PIP attempted to create and then write files into the .cache directory,which users do not have permission to create post-installation.

As a result,Python dependencies failed to be installed.The default PyPi mirror URL is now updated to use a secure connection (HTTPS).The directory .cache is created during installation in advance so it can be usedlater by PIP. With this fix, Python dependencies can be fetched from the PyPimirror and installed properly. (BZ#1401120)* When using a gear's UUID in the logical volume name, a grep in the oo-acceptnode caused oo-accept-node to fail.

The grep was fixed with this update. Usingthe gear UUID in the logical volume name no longer causes oo-accept-node tofail. (BZ#1401124)* Previously, moving a gear with many aliases reloaded Apache for each alias.The excess aliases caused the gear move to timeout and fail. With this fix, agear move will now update Apache once with an array of of aliases instead ofupdating after each alias. (BZ#1401132)* Previously, node-proxy did not specify to use cipher order, so the order didnot matter when using a custom cipher order.

This fix makes the node-proxy honorthe cipher order.

Custom cipher orders will now take the cipher order in accountwhen choosing a cipher. (BZ#1401133)All OpenShift Enterprise 2 users are advised to upgrade to these updatedpackages. Red Hat OpenShift Enterprise 2 SRPMS: openshift-enterprise-upgrade-2.2.11-1.el6op.src.rpm     MD5: 7ec16aed5fc59ed2890c39c512535506SHA-256: 684678600d7a39ada09613e3e8f2131ff1c0302d9e3041a187cebf76675ecaaa openshift-origin-cartridge-haproxy-1.31.7.1-1.el6op.src.rpm     MD5: a1f1449b05688c5a980633d6c7d944f3SHA-256: 2929f1d04ea76635016830e108b098bbada8b45efc7bb53c73eb445ab77c830a openshift-origin-cartridge-python-1.34.4.1-1.el6op.src.rpm     MD5: 3dcfe8900468bbf667affe2bf00a696eSHA-256: 4d29292623e415e1d5775a3f7e097d7f6a6c315d66c2a29b68e806788180ce2d openshift-origin-msg-node-mcollective-1.30.3.1-1.el6op.src.rpm     MD5: d997b5a2ad85f8d336f207978d7bd6a3SHA-256: 8894b0fdc2fb0a033626bbbd4e1ccb2eaeb3b3b8f9fb6b3d6c3904077f3d1d0c openshift-origin-node-proxy-1.26.4.1-1.el6op.src.rpm     MD5: 0a9ef5709ecdb7a38e2fb62c5be21a3dSHA-256: 5be7a48d2364bc0448f88d6a63a5be81270902695d674466c3a36d8fc5c6062c openshift-origin-node-util-1.38.8.1-1.el6op.src.rpm     MD5: de83fb1a8228c3965286c5ec20162e32SHA-256: 832c41d74199362210989ef8c73b6e463f9116d23e3b934107f6135106e9e5a5 rubygem-openshift-origin-frontend-apache-mod-rewrite-0.8.2.1-1.el6op.src.rpm     MD5: 16a356b09fa38aeb1c0dd6077b9170c6SHA-256: c6fcb52c44e805b4a2d3bd52845d3aae477a15cc9b3eadea8db4d92cff6b9cb8 rubygem-openshift-origin-frontend-apache-vhost-0.13.3.1-1.el6op.src.rpm     MD5: e8dd00e793be08b117ac994405b260b4SHA-256: 09b5e3a38406ed813841204b7247faa840cdf9e5bc031b1acf4ae4e6ddf3ebb1 rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.5.3.1-1.el6op.src.rpm     MD5: 84be2c2e546dcf2d5e1c00f482347865SHA-256: d8e741d5123a3b4702c431f61e2e4f19415268f15536c8aeb4d4148a113f0fda rubygem-openshift-origin-frontend-nodejs-websocket-0.4.2.1-1.el6op.src.rpm     MD5: 78a15fbefa3e00fe25cd350b59195172SHA-256: 9e414c68803f45a0ec50a0a7f700bb80c168401ca3038310c45f624e33eb6354 rubygem-openshift-origin-node-1.38.7.1-1.el6op.src.rpm     MD5: 21ef886a44b03c688d48846fed34b974SHA-256: aeddbeafb1f58d2b2349ad5fa97fe3f5188bf5b905e0938aa3169bfe0746fdde rubygem-openshift-origin-routing-daemon-0.26.7.4-1.el6op.src.rpm     MD5: 1744e26a273c397078b83ea4946f7836SHA-256: c039f8d023321d8eed0c09b123b171f27c866860705d45aa05b85f82faedf346   x86_64: openshift-enterprise-release-2.2.11-1.el6op.noarch.rpm     MD5: 2014a606a47b5e5491341a1381f83ccfSHA-256: c211f0dd8c3efba9d8f2840a7e418f2096dbfbb47f13a8ec7cf7929e38e6162f openshift-enterprise-upgrade-broker-2.2.11-1.el6op.noarch.rpm     MD5: 74e50b025859ef9d22efaea0771d1dfaSHA-256: e9fac95a23aa696dfb4c1e4cc8cf33d5cabfb0d9ea4a7f29925936635b6f6078 openshift-enterprise-upgrade-node-2.2.11-1.el6op.noarch.rpm     MD5: 43b23128a6f8508f872f199f11e99844SHA-256: 2182ab628c84f5bdcc4fff537aadd260894787a2c2a47d2501912b7190b8ea4d openshift-enterprise-yum-validator-2.2.11-1.el6op.noarch.rpm     MD5: af77a0545ff330278c6cd6b02671695aSHA-256: b867d00bda0f52d6ba6a98a74f4303c0df9b4b74405e0487131fb3180ec2150e openshift-origin-cartridge-haproxy-1.31.7.1-1.el6op.noarch.rpm     MD5: 749c76f4c105f7ad2b8b4599c393eb39SHA-256: 51eccf1effbf4e287e5d7d22432c5c17e94ee5b03a082e40a38811a29fffb34f openshift-origin-cartridge-python-1.34.4.1-1.el6op.noarch.rpm     MD5: 5a2b1bc49dc51b6e1d27418dcbdebe92SHA-256: d1d081769812ca7ff3a109144639e5f0fdfa6879354959e1a4907b21316565d1 openshift-origin-msg-node-mcollective-1.30.3.1-1.el6op.noarch.rpm     MD5: 4f7a36fe214d0ff3c73b03f420455451SHA-256: 3571f7067485b72a67d8de2d6f22ddc06bb8e09128047011cb1c54084eb9e6d4 openshift-origin-node-proxy-1.26.4.1-1.el6op.noarch.rpm     MD5: f422b78254bc9e061281b769b6257905SHA-256: 2d0fe749cbedb32b5feaa5c871bf38c6cad7f27a90cea0f8466f774974781166 openshift-origin-node-util-1.38.8.1-1.el6op.noarch.rpm     MD5: 8a4247c0b621b63656b4fdbfaf48f9e7SHA-256: ab960e297a55df5a662793af11e6b540ebab93df6c3edb32610597afbecaacc8 rubygem-openshift-origin-frontend-apache-mod-rewrite-0.8.2.1-1.el6op.noarch.rpm     MD5: 95210c17c2f0cc126b6b0756f6ca3fc3SHA-256: 22362fee3fa68b4ad59ed0a883948d5561d425b67a3396438e408c6df3bbab56 rubygem-openshift-origin-frontend-apache-vhost-0.13.3.1-1.el6op.noarch.rpm     MD5: 59411dfa22500844ee7c995cbb3e855dSHA-256: 307fc8948cbbad0548562b7dfd01c7cc976346f9974c30f63801a6ae5925f540 rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.5.3.1-1.el6op.noarch.rpm     MD5: 19897e4896ccdf8f527eeef81334dd86SHA-256: 2139ed1ff65db053d722c9a61c0490d5a1e3457bc05b7a746bb1e398c60786cb rubygem-openshift-origin-frontend-nodejs-websocket-0.4.2.1-1.el6op.noarch.rpm     MD5: a1d083fdbe96c3a50a44317d43f16f2aSHA-256: adad2d5496b14a6310eb947e4d07eecc2f892a4c8a6223473718ad006bcc761b rubygem-openshift-origin-node-1.38.7.1-1.el6op.noarch.rpm     MD5: f0863b65b63e9e85f9cfc3eef3029980SHA-256: 3e1c1250766b63670687ff4ae1e8327229e82b738057bb22758544a24cdc3fc2 rubygem-openshift-origin-routing-daemon-0.26.7.4-1.el6op.noarch.rpm     MD5: 1a08ee809815b4c0e231a98deec953d0SHA-256: be88d6d1f339675e91ca18087c9af6825afbb26f9abc2570188fb715c83fe57c   (The unlinked packages above are only available from the Red Hat Network) 1258033 - Allow the override of pre-defined function for database connections1377433 - haproxy configuration in HA gears sets inconsistent cookie values, breaking session affinity1394328 - [RFE] EWS 2 cartridge should be able to use EWS 3 binaries.1401120 - pip permission error prevents installing on python-2.7 cartridge1401124 - oo-accept-node reports missing quota if filesystem name contains gear uuid1401132 - Moving gears with many aliases causes excessive number of apache reloads These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
'We have no recruiting targets,' says indignant MoD spin doctor Army social media psyops unit 77 Brigade is struggling to reel in new government cyber-warriors in spite of a recruitment publicity blitz last year, according to the Ministry of Defence. The "brigade" – in reality a unit slightly smaller than an infantry battalion, with a target manning strength of 448 people – is under strength by about 40 per cent, according to figures released under the Freedom of Information Act. Of those 448, 182 of them are supposed to be full-time soldiers, sailors and airmen, while 266 are part-time reservists bringing in specialist skills from the civilian world. A fortnight ago the unit, known as the Security Assistance Group (SAG) until July 2015, had only 276 personnel on its books. Just 123 of those were reservists, meaning 77 Bde has a shortfall of 29 regulars and 143 reserves. In the last year just 125 soldiers were recruited to 77 Bde, or posted into it from elsewhere in the Army. The unit forms part of the government's wider efforts to tackle hostile use of social media by, among others, Islamist terrorists, Russian hackers and state-backed fake news and propaganda agencies such as Russia Today (RT) and Iran's Press TV.
In addition, it is also supposed to engage in the dark arts of destabilising Britain's foes by starting whispering campaigns among their supporters and potential supporters. The SAG was formed in 2014 to combine the Army's Media Operations Group, 15 (UK) Psychological Operations Group, the Security Capacity Building Team and the Military Stabilisation and Support Group.
It was rebranded 77 Brigade after 18 months when someone inside the MoD thought it would be a good idea to link them with Brigadier Orde Wingate's famous guerrilla unit the Chindits, who fought hundreds of miles behind Japanese lines in the Far East during the Second World War. 77 Bde maintains small Facebook and Twitter presences in its own name. The modern-day 77 Bde is split into six "columns", of which the fifth column is the media ops and civil affairs sub-unit – perhaps a military bureaucrat's little joke. "I can confirm that the Army is pleased with the rate of growth of the Brigade and that it is attracting trained personnel of the right knowledge, skill and experience required for its roles," insisted an MoD spin doctor in the ministry's response to the original FoI request.

The response also claimed that 77 Bde has "no set recruiting targets". "The shortfall in the reserve numbers is partly due to the recent increase in liability... but is, in the main, due to the fact 77 Brigade is a new formation and it takes time for this capability to be built up," he added. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
An update for ipa is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Red Hat Identity Management (IdM) is a centralized authentication, identitymanagement, and authorization solution for both traditional and cloud-basedenterprise environments.Security Fix(es):* It was discovered that the default IdM password policies that lock outaccounts after a certain number of failed login attempts were also applied tohost and service accounts.

A remote unauthenticated user could use this flaw tocause a denial of service attack against kerberized services. (CVE-2016-7030)* It was found that IdM's certprofile-mod command did not properly check theuser's permissions while modifying certificate profiles.

An authenticated,unprivileged attacker could use this flaw to modify profiles to issuecertificates with arbitrary naming or key usage information and subsequently usesuch certificates for other attacks. (CVE-2016-9575)The CVE-2016-7030 issue was discovered by Petr Spacek (Red Hat) and theCVE-2016-9575 issue was discovered by Liam Campbell (Red Hat). Red Hat Enterprise Linux Desktop (v. 7) SRPMS: ipa-4.4.0-14.el7_3.1.1.src.rpm     MD5: 576b41a8c1b18c2e20f50c749933aa3dSHA-256: 37bc73696ba34985a175c3e0f8d7dce2def3104a1a07c956ae9f054798adc33b   x86_64: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 6803dd5daf22f86cf63e67be2360624aSHA-256: 82f67c7dad1b0d6c74eaff7c11dde7efcbc9f678b4443dc0fa40b9dd29c59481 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 07c85fadd5882a836eb3136c748fc0d5SHA-256: 136e9969c55d755a95529ae1ed63b2d2704995f2a4c3f1c9cc787c1bae6afe51 ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 89a81f4738e59a763932b10a03b08341SHA-256: 451c92d375628834712cbc3f0713550378300c9e9243ff90ad85fe680e330774 ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 6100a755fafa8ca8726720d17f5ce021SHA-256: 022bc4d0ae640d9d5e51c2ba0bcad6fbb76a8e4169f63f95ed71f44462b0e2d4 ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 0ec54b7fbd688d09b5b7e1eaa2b6e616SHA-256: 5761da6f5419300c3ac59409414c74a7fc0e649e6143655d825286d0ae7e08a4 ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: f9fbc69fca9d9a28aba2e5971134e724SHA-256: dd9bce221914ba50ee6496c86d29cad09e0db05de1ed22222291d4650b362675 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311 python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 08ab48262849ad75b754e3064bb51e83SHA-256: 3f896f2828270c7e8af41161438bd8fd9bd08e840e1c1783ee5caa5bc7a66c31   Red Hat Enterprise Linux HPC Node (v. 7) SRPMS: ipa-4.4.0-14.el7_3.1.1.src.rpm     MD5: 576b41a8c1b18c2e20f50c749933aa3dSHA-256: 37bc73696ba34985a175c3e0f8d7dce2def3104a1a07c956ae9f054798adc33b   x86_64: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 6803dd5daf22f86cf63e67be2360624aSHA-256: 82f67c7dad1b0d6c74eaff7c11dde7efcbc9f678b4443dc0fa40b9dd29c59481 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 07c85fadd5882a836eb3136c748fc0d5SHA-256: 136e9969c55d755a95529ae1ed63b2d2704995f2a4c3f1c9cc787c1bae6afe51 ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 89a81f4738e59a763932b10a03b08341SHA-256: 451c92d375628834712cbc3f0713550378300c9e9243ff90ad85fe680e330774 ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 6100a755fafa8ca8726720d17f5ce021SHA-256: 022bc4d0ae640d9d5e51c2ba0bcad6fbb76a8e4169f63f95ed71f44462b0e2d4 ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 0ec54b7fbd688d09b5b7e1eaa2b6e616SHA-256: 5761da6f5419300c3ac59409414c74a7fc0e649e6143655d825286d0ae7e08a4 ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: f9fbc69fca9d9a28aba2e5971134e724SHA-256: dd9bce221914ba50ee6496c86d29cad09e0db05de1ed22222291d4650b362675 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311 python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 08ab48262849ad75b754e3064bb51e83SHA-256: 3f896f2828270c7e8af41161438bd8fd9bd08e840e1c1783ee5caa5bc7a66c31   Red Hat Enterprise Linux Server (v. 7) SRPMS: ipa-4.4.0-14.el7_3.1.1.src.rpm     MD5: 576b41a8c1b18c2e20f50c749933aa3dSHA-256: 37bc73696ba34985a175c3e0f8d7dce2def3104a1a07c956ae9f054798adc33b   PPC: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.ppc64.rpm     MD5: 8922023fbcb8a26e047d98773b58dac0SHA-256: 21f1fc8a7eec678ba829cfd170f21db1c7a67df47baf36429c241430bb6fb716 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.ppc64.rpm     MD5: faa68ab0f496db2070f7481e58234a22SHA-256: 6f2ced81dbff51356e48fd84094969e64abe22795897f9fbcc88f182ab00bdcf ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311   PPC64LE: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.ppc64le.rpm     MD5: 406f4285ca17fab0d4fc724865759474SHA-256: f03cb9a9ad4cf92ef3e6be7e2f751a4112cf10166ce3f22f1450e57deb445996 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.ppc64le.rpm     MD5: 8eeffa3f73efc62d380abaf9372145e1SHA-256: 10997c52f622e753ae75e8d00918e026ca86227cf52cc7d2f9ee9a764a001d81 ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311   s390x: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.s390x.rpm     MD5: 6c3003297a734c4b1cb967a4d6248947SHA-256: 17519262213359ed891f036c467289fc743bb652e58897e621603e79e36e8c33 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.s390x.rpm     MD5: edff709c629da0b889b6de2082d3513dSHA-256: 17bbbe517d09df51909c4efb1c252e40fd94433557f2667e0c8cb4ff064d2774 ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311   x86_64: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 6803dd5daf22f86cf63e67be2360624aSHA-256: 82f67c7dad1b0d6c74eaff7c11dde7efcbc9f678b4443dc0fa40b9dd29c59481 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 07c85fadd5882a836eb3136c748fc0d5SHA-256: 136e9969c55d755a95529ae1ed63b2d2704995f2a4c3f1c9cc787c1bae6afe51 ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 89a81f4738e59a763932b10a03b08341SHA-256: 451c92d375628834712cbc3f0713550378300c9e9243ff90ad85fe680e330774 ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 6100a755fafa8ca8726720d17f5ce021SHA-256: 022bc4d0ae640d9d5e51c2ba0bcad6fbb76a8e4169f63f95ed71f44462b0e2d4 ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 0ec54b7fbd688d09b5b7e1eaa2b6e616SHA-256: 5761da6f5419300c3ac59409414c74a7fc0e649e6143655d825286d0ae7e08a4 ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: f9fbc69fca9d9a28aba2e5971134e724SHA-256: dd9bce221914ba50ee6496c86d29cad09e0db05de1ed22222291d4650b362675 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311 python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 08ab48262849ad75b754e3064bb51e83SHA-256: 3f896f2828270c7e8af41161438bd8fd9bd08e840e1c1783ee5caa5bc7a66c31   Red Hat Enterprise Linux Server TUS (v. 7.3) SRPMS: ipa-4.4.0-14.el7_3.1.1.src.rpm     MD5: 576b41a8c1b18c2e20f50c749933aa3dSHA-256: 37bc73696ba34985a175c3e0f8d7dce2def3104a1a07c956ae9f054798adc33b   x86_64: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 6803dd5daf22f86cf63e67be2360624aSHA-256: 82f67c7dad1b0d6c74eaff7c11dde7efcbc9f678b4443dc0fa40b9dd29c59481 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 07c85fadd5882a836eb3136c748fc0d5SHA-256: 136e9969c55d755a95529ae1ed63b2d2704995f2a4c3f1c9cc787c1bae6afe51 ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 89a81f4738e59a763932b10a03b08341SHA-256: 451c92d375628834712cbc3f0713550378300c9e9243ff90ad85fe680e330774 ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 6100a755fafa8ca8726720d17f5ce021SHA-256: 022bc4d0ae640d9d5e51c2ba0bcad6fbb76a8e4169f63f95ed71f44462b0e2d4 ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 0ec54b7fbd688d09b5b7e1eaa2b6e616SHA-256: 5761da6f5419300c3ac59409414c74a7fc0e649e6143655d825286d0ae7e08a4 ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: f9fbc69fca9d9a28aba2e5971134e724SHA-256: dd9bce221914ba50ee6496c86d29cad09e0db05de1ed22222291d4650b362675 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311 python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 08ab48262849ad75b754e3064bb51e83SHA-256: 3f896f2828270c7e8af41161438bd8fd9bd08e840e1c1783ee5caa5bc7a66c31   Red Hat Enterprise Linux Workstation (v. 7) SRPMS: ipa-4.4.0-14.el7_3.1.1.src.rpm     MD5: 576b41a8c1b18c2e20f50c749933aa3dSHA-256: 37bc73696ba34985a175c3e0f8d7dce2def3104a1a07c956ae9f054798adc33b   x86_64: ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 892071be5108114a063beede2c4b86ddSHA-256: 8fab8435e6761fa33a84ba0e2b98bf694243e5d271451b8c6a9504de32736bc0 ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 6803dd5daf22f86cf63e67be2360624aSHA-256: 82f67c7dad1b0d6c74eaff7c11dde7efcbc9f678b4443dc0fa40b9dd29c59481 ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 1a48cbf68a2878a6760b065472b5fb4eSHA-256: fcdf5f52d6ae40fc3b37c6c539a1b82e2d29cf15116c37596bdf79e2d4630368 ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: d6ef1589b9b8d899d74d0006b867f917SHA-256: e302d53a7a3a0fe249ec4ef13cf71af6ddeaab10956fb1530aae3fe892211b57 ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 07c85fadd5882a836eb3136c748fc0d5SHA-256: 136e9969c55d755a95529ae1ed63b2d2704995f2a4c3f1c9cc787c1bae6afe51 ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 8dfbd7199aa7b92365ea2ebbb2ea0846SHA-256: 496aff9208b02416a4a28694e48d596b6c703590f45ad9e2fa382cdf03197673 ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: 89a81f4738e59a763932b10a03b08341SHA-256: 451c92d375628834712cbc3f0713550378300c9e9243ff90ad85fe680e330774 ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 6100a755fafa8ca8726720d17f5ce021SHA-256: 022bc4d0ae640d9d5e51c2ba0bcad6fbb76a8e4169f63f95ed71f44462b0e2d4 ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 0ec54b7fbd688d09b5b7e1eaa2b6e616SHA-256: 5761da6f5419300c3ac59409414c74a7fc0e649e6143655d825286d0ae7e08a4 ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm     MD5: f9fbc69fca9d9a28aba2e5971134e724SHA-256: dd9bce221914ba50ee6496c86d29cad09e0db05de1ed22222291d4650b362675 python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 14e1bac72de76a87b0a7dbc24663734dSHA-256: bd567334c15b8231a9dcf1ea0bce7ace647b74498e8469406491e7ade9b3c7e7 python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: aa20cf79bc95d8924328bbeb351ddffaSHA-256: 042eaa4732f83e0dd4e065458a2ed8eb0381d1d9a4e263dfad3f18da75b83311 python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm     MD5: 08ab48262849ad75b754e3064bb51e83SHA-256: 3f896f2828270c7e8af41161438bd8fd9bd08e840e1c1783ee5caa5bc7a66c31   (The unlinked packages above are only available from the Red Hat Network) These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
He's bound to say that.

Truth is, it'll get worse before it gets better Comment Admiral Sir Philip Jones, head of the Royal Navy, has written how "you'd be forgiven for thinking that the RN had packed up and gone home" in response to the kicking the naval service has received in the press recently. In an open letter published on the RN website, the admiral wrote: "Sadly the world is less certain and less safe.

But our sense of responsibility has not changed.

The Royal Navy may be smaller than in the past but has a strong future so this is no time to talk the Navy down." On 21 November the Defence Select Committee published a swingeing report into naval procurement, which concluded: "The MoD is embarking on a major modernisation of the Royal Navy surface fleet. Notwithstanding the Committee's concerns that the number of ships is at a dangerous and an historic low, it is a programme which has the potential to deliver a modern navy with a broad range of capabilities." Meanwhile, HMS Duncan, a Type 45 air-defence destroyer, had to be towed back into port after her unreliable Rolls-Royce WR-21 engines* broke down, as they tend to do on all Type 45s with worrying frequency – so much so that the RN has started a dedicated initiative, Project Napier, to add extra diesel generators to the Type 45 fleet.

This involves cutting large holes in the hull of each ship. Royal Fleet Auxiliary** tanker Wave Knight, currently deployed on Atlantic Patrol Tasking (North) in the Caribbean on anti-drugs patrol duties, broke down in St Vincent with Prince Harry aboard.

APT(N) used to be carried out by an actual warship rather than a refuelling tanker, but cuts to destroyer and frigate numbers left the Navy with no option. Last year a naval offshore patrol vessel, normally employed to stop and search fishermen's boats and their catches, was trialled on APT(N). A few weeks ago it was revealed that the RN will, from 2018, be left without any anti-ship missiles on its frigates and destroyers. Then there's the Type 26 frigate programme, which continues to stagnate as MoD officials lock horns with vastly more experienced BAE Systems negotiators over contracts.

The Type 26s are planned to partly replace the UK's current fleet of thirteen Type 23 anti-submarine frigates.

There will be fewer Type 26s than Type 23s, however, with the final five Type 23s set to be replaced with Type 31 "general purpose frigates", a cheap 'n' cheerful concept intended primarily for export.

The government, having initially pledged a like-for-like replacement of Type 23 with Type 26, later changed tack and cut the planned order of Type 26s, presumably because of the spiralling costs. A perfect storm for the naval service So what did the First Sea Lord have to say in defence of the RN? Type 45 destroyers are "hugely innovative" and "money is now in place to put this right".
Indeed, "if they weren't up to the job then the US and French navies would not entrust them with protection of their aircraft carriers in the Gulf." A strong point: for all their electrical flaws, the Type 45s are world-leading air-defence destroyers. The Harpoon anti-ship missile was cut partly because it "was reaching the end of its life" – though the admiral's attempt to claim that last month's Unmanned Warrior robot naval boat exercise featured anything capable of replacing a dedicated anti-ship capability was fanciful at best and downright disingenuous at worst.

That said, the admiral is duty bound, for better or for worse, not to embarrass his elected political masters. Admiral Jones also mentioned the Queen Elizabeth-class aircraft carriers and their F-35B fighter jet air wing, due to enter service in a few years.

As previously reported on El Reg, the F-35 will not be ready for true carrier deployment for another five years minimum and even when it is, we won't own enough of them to put to sea without borrowing half the fast air wing from the US Marines. Moreover, each carrier will need, at the very least, both a frigate and a destroyer as escorts; the frigate to detect submarines, the destroyer to maintain an anti-aircraft screen. Will we be able to spare these two ships from all the other standing tasks, let alone training and maintenance requirements? On the whole, the Royal Navy is in very poor shape.
It cannot meet all its standing patrol tasks (as detailed in the Defence Select Committee report) without resorting to small patrol vessels and mostly civilian tankers to do so.

The Fleet Air Arm will not be a credible force capable of deploying overseas at even minimal strength (12 F-35Bs) until the middle of the next decade.

The frigate force is capable but ageing and due for retirement soon.

The destroyer fleet will be plagued by engine problems for another five years. On the other hand, the carriers will enter service.

F-35B will enter service.

Type 26 will start entering service from the mid-2020s.

The RFA will receive its new Tide-class replenishment ships to support the carriers.

Three new offshore patrol vessels are under construction and will be delivered in the next few years. New nuclear deterrent submarines are now under construction and will enter service in the coming years.
In terms of fighting strength, ability to put to sea and ensure freedom of navigation and lawful commerce, the Navy will improve. The tough part is that we will not hit rock bottom and start climbing out of this well of impotence for at least the next three years. What those three years bring – Brexit, more Russian sabre-rattling, possibly even a new Middle East flashpoint – could stretch the RN to breaking point or even beyond. While the First Sea Lord has publicly defended his service, ultimately it is the politicians of all flavours who starved the Navy of the funding for new ships and equipment that it desperately needed ten years ago, leading to today's situation where so many demoralised personnel have left that ship deployments were lengthened from six to nine months. The next time the Defence Secretary pops up to recycle tired old announcements that amount to nothing new, remember that. ® Bootnotes *The two gas turbines themselves are OK – it is the intercooler-recuperator assembly which lets them down.

Briefly, the intercooler-recuperator recovers heat from the turbines' exhausts and uses it to pre-heat the fuel/air mixture being fed into the engine.

This reduces wasted heat while increasing fuel efficiency and electrical output.

Due to a design flaw, the intercooler-recuperator tends to drop out without warning when operating in warmer waters (reportedly as low as 30C).

The sudden spike in electrical demand overwhelms the ship's two auxiliary Wärtsilä diesel generators and causes the entire electrical system, propulsion, weapons and all, to trip out, leaving the destroyer dead in the water as frantic marine engineers rush to reset it all. **The Royal Fleet Auxiliary is a uniformed but civilian branch of the naval service. Officially classed as civil servants sailing civilian-registered British ships, their personnel man the tankers, replenishment ships and general duties vessels, which increasingly find themselves used as actual warships, such as on the APT(N) deployment or as the mothership for the British minehunter contingent in the Persian Gulf. Sponsored: Customer Identity and Access Management
Attention: RHN Hosted will reach the end of its service life on July 31, 2017.Customers will be required to migrate existing systems to Red Hat Subscription Management prior to this date.Learn more here Details Updated packages that resolve various issues are now available for Red HatOpenStack Platform 9.0 director for RHEL 7. Red Hat OpenStack Platform director provides the facilities for deployingand monitoring a private or public infrastructure-as-a-service (IaaS) cloudbased on Red Hat OpenStack Platform. Solution Before applying this update, ensure all previously released errata relevantto your system have been applied.Red Hat OpenStack Platform 9 runs on Red Hat Enterprise Linux 7.2.The Red Hat OpenStack Platform 9 Release Notes contain the following:* An explanation of the way in which the provided components interact toform a working cloud computing environment.* Technology Previews, Recommended Practices, and Known Issues.* The channels required for Red Hat OpenStack Platform 9, including whichchannels need to be enabled and disabled.The Release Notes are available at:https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/release-notesThis update is available through 'yum update' on systems registered throughRed Hat Subscription Manager.

For more information about Red HatSubscription Manager, see:https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html Updated packages Red Hat OpenStack 9.0 director for RHEL 7 SRPMS: instack-undercloud-4.0.0-15.el7ost.src.rpm     MD5: 9e06bef4f3f417c069dd54a9aeec8237SHA-256: 52930027999540a6e2ba6c91c2097eaa9e3cce4c83323e407c6ea5dacb090c12 openstack-tripleo-image-elements-0.9.9-7.el7ost.src.rpm     MD5: b4f434f084e728bf1e91359bf8fa8607SHA-256: 7d7fba23eb421edb7453d684605ac9bec003960ce37e254d4fcbc3d7b3f32d41   x86_64: instack-undercloud-4.0.0-15.el7ost.noarch.rpm     MD5: b45e479bb8e17cea37b3e4c5122b8e12SHA-256: cfc5927a426c73f6e11707a0541c028248b502f06c2110a6ae4a0dd9a5835c67 openstack-tripleo-image-elements-0.9.9-7.el7ost.noarch.rpm     MD5: 3cd6a72ee743dc926dc72ed74ce49389SHA-256: 7fe07e3ef2421d17f8c9499782af9b685d688caf1fd9d7e2a38160773d8cb610   (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 1364020 - Undercloud installation does not configure UEFi deployment default parameters1385523 - Undercloud installation fails with RHEL-7.3 on selinux [OSP9]1387935 - rhel-osp-director: 9.0 on rhel7.3: undercloud deployment fails: make: *** [tmp/tripleo-selinux-mariadb.mod] Error 1 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
Helping partners grow their business in the UK public sectorLondon – November 1, 2016 – UKCloud, formerly Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today announced the launch of its NEW partner programme.
It will offer both new and existing partners an impressive benefits framework including significant technical, marketing and sales expertise, giving UKCloud partners the best possible chance of selling successfully into the UK public sector. UKCloud Powered By Logo The newly launched partner programme will build on the momentum already achieved by UKCloud’s existing partner programme, which was launched in August 2013. UKCloud has since helped approximately 120 partners onto the G-Cloud Framework and the company has supported more than 465 partner projects across the UK public sector. “Supporting our partner community has always been a top priority for us as a business,” said Simon Hansford, CEO of UKCloud. “And with more than 230 like-minded organisations already in the programme and countless successful collaborations to date, we thought it the perfect time to take our partner programme to the next level; ensuring that as a business, partners remain at the heart of everything we do. Our new partner commitments are a great illustration of this renewed focus.” IT companies looking to break into the UK public sector market need to be familiar with and overcome very specific requirements when it comes to security, assurance, connectivity and commercial governance. UKCloud’s partners are able to take advantage of its industry-leading accreditations and certifications, without needing to dedicate resources to achieving this themselves.

They also benefit from UKCloud’s extensive experience in the public sector, through its work with DVLA, HMRC, the Home Office and MoD to name but a few. “With the digitisation of services ramping up in the public sector as departments look to technology to reduce overheads whilst transforming the end-user experience, there is a growing opportunity in the market and we want to ensure our partners make the most of this potential,” Hansford added. “Our platform has been specifically designed with government policies and requirements in mind and we’re committed to developing it as these demands evolve. Our partners can enjoy the peace of mind that comes with using a trustworthy, reliable, cloud platform, as in turn it strengthens their brand and helps increase their own credibility. We look forward to even further collaboration with our partners, working together as a community to meet the needs of the public sector, both now and in the future”. UKCloud’s hyperscale cloud platform is built to handle government workloads and offers connectivity options to meet different communities’ needs, including PSN, N3 for health and RLI for defence. UKCloud recently announced an expanded range of assured cloud services, including OpenStack and Oracle powered offerings on the latest iteration of the G-Cloud Framework, G-Cloud 8.

The new features and service options provide genuine choice to meet the different requirements of contrasting public sector workloads, which provides UKCloud partners with access to a purpose build cloud for the UK Public Sector, allowing them to focus on delivering innovative products and services to the UK citizen. More information can be found at www.ukcloud.com/why-partner - ends – About UKCloudUKCloud is dedicated to the UK Public Sector. We provide assured, agile and value-based true public cloud that enable our customers to deliver enhanced performance through technology. We’re focused on cloud.

Delivering a true cloud platform that is scalable, flexible, assured and cost-effective. We’re open. You are never locked in. Using industry standards and open source software we enable flexibility and choice across multiple cloud solutions. Dedicated to the UK Public Sector. Our business is designed specifically to serve and understand the needs of public sector organisations. We develop communities. We bring together communities of users that are able to share datasets, reuse code, test ideas and solve problems. Customer engagement. We will only be successful if our customers are successful. We embody this in the promise: Easy to adopt.

Easy to use.

Easy to leave. Additional information about UKCloud can be found at www.ukcloud.com or by following us on Twitter at @ukcloudltd UKCloud.

The power behind public sector technology.
Media ContactsCaitlin Mullally/Charlotte MartinFinn Partners+44 (0)20 3217 7060UKCloudteam@finnpartners.com
Updated packages that provide Red Hat JBoss Enterprise Application Platform6.4.10 natives, fix several bugs, and add various enhancements are now availablefor Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Javaapplications based on JBoss Application Server 7.This release includes bug fixes and enhancements, as well as a new release ofOpenSSL that addresses a number of outstanding security flaws.

For furtherinformation, see the knowledge base article linked to in the References section.All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red HatEnterprise Linux 6 are advised to upgrade to these updated packages.

The JBossserver process must be restarted for the update to take effect.Security Fix(es):* A flaw was found in the way OpenSSL encoded certain ASN.1 data structures.

Anattacker could use this flaw to create a specially crafted certificate which,when verified or re-encoded by OpenSSL, could cause it to crash, or executearbitrary code using the permissions of the user running an application compiledagainst the OpenSSL library. (CVE-2016-2108)* Multiple flaws were found in the way httpd parsed HTTP requests and responsesusing chunked transfer encoding.

A remote attacker could use these flaws tocreate a specially crafted request, which httpd would decode differently from anHTTP proxy software in front of it, possibly leading to HTTP request smugglingattacks. (CVE-2015-3183)* A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMSdata.

A remote attacker could use this flaw to cause an application that parsesPKCS#7 or CMS data from untrusted sources to use an excessive amount of memoryand possibly crash. (CVE-2015-3195)* A flaw was found in the way the TLS protocol composes the Diffie-Hellmanexchange (for both export and non-export grade cipher suites).

An attacker coulduse this flaw to downgrade a DHE connection to use export-grade key sizes, whichcould then be broken by sufficient pre-computation.

This can lead to a passiveman-in-the-middle attack in which the attacker is able to decrypt all traffic.(CVE-2015-4000)* An integer overflow flaw, leading to a buffer overflow, was found in the waythe EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of inputdata.

A remote attacker could use this flaw to crash an application usingOpenSSL or, possibly, execute arbitrary code with the permissions of the userrunning that application. (CVE-2016-2105)* An integer overflow flaw, leading to a buffer overflow, was found in the waythe EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of inputdata.

A remote attacker could use this flaw to crash an application usingOpenSSL or, possibly, execute arbitrary code with the permissions of the userrunning that application. (CVE-2016-2106)* It was discovered that it is possible to remotely Segfault Apache http serverwith a specially crafted string sent to the mod_cluster via service messages(MCMP). (CVE-2016-3110)* A denial of service flaw was found in the way OpenSSL parsed certainASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs.

An applicationusing OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocatean excessive amount of data. (CVE-2016-2109)* It was discovered that specifying configuration with a JVMRoute path longerthan 80 characters will cause segmentation fault leading to a server crash.(CVE-2016-4459)Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108,CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reportingCVE-2016-3110.

The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat).Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and DavidBenjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vrankenas the original reporter of CVE-2016-2105 and CVE-2016-2106. Before applying this update, back up your existing Red Hat JBoss EnterpriseApplication Platform installation and deployed applications.For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258For the update to take effect, all services linked to the OpenSSL library mustbe restarted, or the system rebooted.JBoss Enterprise Application Platform 6 EL6 SRPMS: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.src.rpm     MD5: cd62e3452ea727322f407eb7f70197f6SHA-256: 42a0d006acfd4c4a76cb4e4ca1fe43f78f579fda49539cbf7f7a6508f1f22e3d httpd-2.2.26-54.ep6.el6.src.rpm     MD5: eea764698b146f592541c89c33f1750fSHA-256: 500e2f71d7ec5bfdc3a06bc409c1c153295dc9ac19d3cb94b104dd4636492110 jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm     MD5: 963dc03d1a02d317a679000b14fac02aSHA-256: ac5b23430a44667cd0792bb73c6f3c366d4450d6239e7025095bcc72fb165513 mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.src.rpm     MD5: 7398b0838abe76a7fef1ef7978b274beSHA-256: 13f719c9842b1ff8c1bf8a216599ca2e53cb412fec11035cc83ae20e3fe9ade8 mod_jk-1.2.41-2.redhat_4.ep6.el6.src.rpm     MD5: a5e47f6180e7b967b83ed98c2ffc4ec1SHA-256: 7494c511a9af95e50c283d012125f55281f8f9d88361782902189da719d67db7 tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm     MD5: d28d971ae5736394f7fbb125b0e05ed0SHA-256: f36bf2dafa5e715c97cf1a516f944bb4c6f2b98be1199f15b7508191d100b8ad   IA-32: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm     MD5: 390fbfdd259e95b310a73594e6b22883SHA-256: e8056f0ac22b05a5231fd44e89e8a5973977e86fbd36ec965b58b20a5fac49af httpd-2.2.26-54.ep6.el6.i386.rpm     MD5: 2f620897fde7952deda0559fd9f9249dSHA-256: 2ef8cdddf64eee31651657bad31abec8e607dc46b7f4c698351d74a261462d61 httpd-devel-2.2.26-54.ep6.el6.i386.rpm     MD5: b32fe0a48b47ff99c52df86da99d17b3SHA-256: 04722287bb04ab20e50386340906e15279f5acc197ec64adf1ebbc406586e335 httpd-manual-2.2.26-54.ep6.el6.i386.rpm     MD5: acfd1db3e2a03fb7572c761363845758SHA-256: 953df274cb9193c9cab480f8ecd8af48dda6e2d63de6bd4a3dd39e2c0499cd9a httpd-tools-2.2.26-54.ep6.el6.i386.rpm     MD5: 02d0d90b97b00d7d2973040e8e5ed6ecSHA-256: ea1765628eb3e4d08020227c0506b5b3adfa021b31e774f8879af06921b3ecff jbcs-httpd24-1-3.jbcs.el6.noarch.rpm     MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 7f161860ac4557d0d1ac61a8bfe3852aSHA-256: 45b0aad95e6c5e6031e26e36865970c1948cf1a881b0c4e5680468e1a06c49d7 jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 2b2acec99c551418e47a6fe8223c16bdSHA-256: f5ddc2a4bc86f5ec40f932aceeaf4d87eb1c012a300b4e2ffd11bfd2fecd7ba8 jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 66978755c0f3ff07731c6e7de5017920SHA-256: ec9f2c353d7f1b3ebbe453ff5eb170304839f6ba4b98d903b1008100e98faa60 jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 688b86a5500ec07141d70794c6633408SHA-256: e093d1532b16a8ad66a36413fcbfcd0e2b190d555c40308ca70f984cfa35d22d jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm     MD5: fb5353cbf563d1d9c999709f4bcad07aSHA-256: 4e06824b17e7bfe3a69c968517b2573bb38977b93ed1cc6ec3bd9616ab3c4101 jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm     MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865 jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm     MD5: 31a0b89c502622d5c695ee86cbf6bf58SHA-256: 46b530eeeb0ff03aa08296639d1ee62f23668169b17621168f920f2e792ab4ad jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm     MD5: 8b19d89a9cad62c61439628b5aafa8caSHA-256: a2d3e9e884ef7500c856d4f5a30f563f449375588338a7ae05a5d949492e57f1 mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm     MD5: 0960a08b41ef13c51794bc2b3fcb7056SHA-256: ed043fcb58bce264b360afbd457eddfd9039dab8ff491d8f46ccdf567c6e6caf mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.i386.rpm     MD5: 18d370e1f246c8202b10be688b6bbe65SHA-256: 00c0f495520cd745811413ba3eb137f5e886c27d711ece911452941c599e0aba mod_ldap-2.2.26-54.ep6.el6.i386.rpm     MD5: b9978abe33bd8fca73a00f1d6053fe2fSHA-256: 4039a3dacde1c77d1d7ba8a6d055af9e4ea86ef25830c81a298e54059a8d531e mod_ssl-2.2.26-54.ep6.el6.i386.rpm     MD5: ad1a0f3f8f4f5203d4171c787f90dcb0SHA-256: 2a5fd27067edc19626604ef553a5490f8a7eba49da369c3043d7a4a7c306779e tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm     MD5: f5ea8e1260998850436ff0c0d84e63b7SHA-256: d6e7500e9781ff94436a46aec1b0facc37d61429f80bcc9d4696ecfafe7aaac4   PPC: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm     MD5: fc027ca74904c221166add5734d45728SHA-256: 46e1fe1e99a7addc91be62ef3ed9aa60106db09341c8308109bd87bb759a0605 httpd-2.2.26-54.ep6.el6.ppc64.rpm     MD5: 730d260c56adef2a83351d94b851951aSHA-256: e88819d657247afd74a1d9569ca4af85a84bc0ad0c341126b2f31541a2d8f6b3 httpd-devel-2.2.26-54.ep6.el6.ppc64.rpm     MD5: 32583d34b85c9d41551e2046bca00e5aSHA-256: 9f53a2587de8302faf309bb1f25b87ae55bb140f6b19772007f39707d148523d httpd-manual-2.2.26-54.ep6.el6.ppc64.rpm     MD5: 9438800d7ad9b096e4d7c65b6000e076SHA-256: 2d64802ded23776cd83f5a9276fd177e9bf1309fb20a951717f9dc7bf9556c20 httpd-tools-2.2.26-54.ep6.el6.ppc64.rpm     MD5: c1145bdd515273bcbbb68a3f6477bf1aSHA-256: 81d95ca8234f7734ae118e0951dad5aa96241c20a880913ff1813f7b7dac6274 jbcs-httpd24-1-3.jbcs.el6.noarch.rpm     MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.ppc64.rpm     MD5: 559f08abb2169ef0c58483df1ece7bdcSHA-256: fb93c148a9e3e636dfe34436b25b07ef4e7ca2630318c2b39eead2892aa34416 jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.ppc64.rpm     MD5: 748cdd95b14d1ac09c88161d8e09960dSHA-256: 623aa239c016538ee28dd9a48a7997f3affc5e43ec19932fb7f75677f62089f8 jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.ppc64.rpm     MD5: e549845fda3618e722f457d04ada64b4SHA-256: bfe0e72169d772e7318e6db41a9f4c31f8af72f11cae22ee54da6a393af96c58 jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.ppc64.rpm     MD5: 4cc3fba1d01725cf022bfc7ed51f95a5SHA-256: 69336af63ea5062c72cfb2f02bc13ec125e89a6e00040837615fa8fac1454aa1 jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.ppc64.rpm     MD5: c3b2e87d6eb03256843f86f78356f6adSHA-256: 7d2bd10540061a83db34359615901bdb39f8a0db1902ba1e6c5baaa5f839394a jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm     MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865 jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm     MD5: 25cd16b4ea2f068cc4a10e5465abc468SHA-256: 7d7b1c4d327e31c6f0775bad4cd36c787aca17720d0038943450d2cfc7f2ef83 jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm     MD5: f60065497f75b0306ece04007cefec19SHA-256: 4b21884a73ca27b0871c1171d2dc272de364a32bd6995c03111d2cd788ae475a mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.ppc64.rpm     MD5: c5e6c941aa20046741ee7bd7c3c55332SHA-256: a02e41bb0d4478a6c1e13fba4035dcce6aa3cd513fb06a487c18f983824da16a mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.ppc64.rpm     MD5: acb73b0b6ac5607b4ec77fe72c76b2ccSHA-256: 3d66976dfafb2d4318bdefc8418c0afbd83dfd6f91e0e57fb96b0f4d64d26387 mod_ldap-2.2.26-54.ep6.el6.ppc64.rpm     MD5: e6ed9807c9b81ebaf6d87baa70e3cb73SHA-256: c91676653409e6e8a06534b7c16ede83858513fc0ed734d4b8bd89a85f568db0 mod_ssl-2.2.26-54.ep6.el6.ppc64.rpm     MD5: 71ce8f549b1c2625d3fc4a7e37ee6a1fSHA-256: 3b6f84a6765ea1593910ff2cab26f675a3b5e905565be813e797b24eabb7f372 tomcat-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm     MD5: 2a011488806a7edbca4e7ee3f9c2e083SHA-256: 1df4ed8db1110bbf65192749051d9482c56fa055337f9c0a1117a37018865151   x86_64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm     MD5: aa72f656b66f7a5e91c1635ac65a506cSHA-256: 0d35825de1ca9f8dff9db819a57da22adfd85f3471fef13ffe7db1376a49355d httpd-2.2.26-54.ep6.el6.x86_64.rpm     MD5: 91556faf775acf8a5f130099cb076275SHA-256: 65a1e179b6e455b73a9aa23929f65fda99c2283cf33e0f6cb96f362efd9b2197 httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm     MD5: b00a921577b49c18ea2578e2444b4278SHA-256: 4e5e0e62a3e47307ca75d23e9fb8a97a117163a46d11911e7f926210a86a5a43 httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm     MD5: 456777fc9cfbc7052cab5513cac10c49SHA-256: 8b0470615c47fafc22b9b08eecde0eca9f88371822869e76bbc2935a178a17fa httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm     MD5: b5451282b70f72e3ffb4e850837b83edSHA-256: 4aeb4ecadcca0e06707fd6ef87a629067f353061dd4016c2bbe2115e51f00774 jbcs-httpd24-1-3.jbcs.el6.noarch.rpm     MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 411ce2397cddf77a882ddbebcd8a0762SHA-256: 86225769181a6677c8ec92ac74db4281b41e73f0a782cb426867a50b6a0289ac jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: a8cdf0f72326e9801671c00af0594d4cSHA-256: 2f558d2b55fa44f8df23471b4d6e2bb67dbf6b05348d2fbe9d414248a93e687d jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 03a954c4787d3ccce6dbb131b922f110SHA-256: 62186db1184d1a37129d44771eeab73630109c5e3fa54f7d2e38e35ad1a98712 jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 7598560deaba3370c3c85f83d6ab980eSHA-256: 588505e83e4e8d4e75d54b7faa1d4e727159d0a98f83b2dad73b6aa2026bb379 jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 5f827452f347852789e667798d8964beSHA-256: 744051dbab7f5ad2d3157fdfa904452f51974219f1d66ca4976012e5142a5719 jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm     MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865 jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm     MD5: c6857621fd657153131b1d8b91f65261SHA-256: 877874f7e1ffc0924c5fd7d077355532be724b126d9f4b22335087926a91b6df jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm     MD5: 378d0dbe20ca0e8d8df66015922c8691SHA-256: e335c3ea451f7f12d4c7810f9c012f16a0bbb17a485a2e0a6267a2dd0336b594 mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm     MD5: 6781a0b7d7c6fbaa720289b367e169ebSHA-256: e67be895b7a3e8f2eec5211052d2dccb6dfd3323ad9884d4abe520b7c881c537 mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.x86_64.rpm     MD5: cc964b2fbe429f58c8b3016e45ab5bd7SHA-256: edeaf9c06eb7ee6fb752c8d58944fcf8357adbeed7dbf26dc8be786104c45e75 mod_ldap-2.2.26-54.ep6.el6.x86_64.rpm     MD5: 0185716d5ff7efd84767680799e677bfSHA-256: 704e71dc12b7456d610b8de7132ddfd5a472ff5d7b2d98b636da562f41010864 mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm     MD5: 6d218955f6ac6f6bb493467e2b9d6606SHA-256: e345df4f891e8278366a86e5db014d660c8306877aaa3357e9bb6e3af5cab6f4 tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm     MD5: 272492dd826b88ad6bdb5e60d114b42dSHA-256: c66e650acf0a08d8088bec04e59c683358a115185820b1801ca677b7d612f71b   (The unlinked packages above are only available from the Red Hat Network) These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
The ​OpenSSL project has published a set of security advisories for vulnerabilities resolved in the OpenSSL library in December 2015, March, May, June, August and September 2016.

The following is a summary of these vulnerabilities and their status with respect to Juniper products: CVE OpenSSL Severity Rating Summary CVE-2016-6309 Critical statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session. CVE-2016-0701 High The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file. CVE-2016-0703 High The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. CVE-2016-0800 High The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. CVE-2016-2107 High The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. CVE-2016-2108 High The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue. CVE-2016-6304 High Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. CVE-2015-3193 Moderate The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite. CVE-2015-3194 Moderate crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. CVE-2015-3195 Moderate The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. CVE-2016-0704 Moderate An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. CVE-2016-6305 Moderate The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call. CVE-2016-7052 Moderate crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. CVE-2015-1794 Low The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message. CVE-2015-3196 Low ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message. CVE-2015-3197 Low ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions. CVE-2016-0702 Low The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack. CVE-2016-0705 Low Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. CVE-2016-0797 Low Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c. CVE-2016-0798 Low Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c. CVE-2016-0799 Low The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. CVE-2016-2105 Low Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data. CVE-2016-2106 Low Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2109 Low The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding. CVE-2016-2176 Low The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data. CVE-2016-2182 Low The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVE-2016-6303 Low Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVE-2016-2179 Low The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. CVE-2016-2180 Low The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. CVE-2016-2181 Low The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c. CVE-2016-6302 Low The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. CVE-2016-2177 Low OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c. CVE-2016-2178 Low The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. CVE-2016-6306 Low The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. CVE-2016-6307 Low The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c. CVE-2016-6308 Low statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages. CVE-2016-2176 is a vulnerability that only affects EBCDIC systems. No Juniper products are affected by this vulnerability. Affected Products: Junos OS: Junos OS is potentially affected by many of these issues. Junos OS is not affected by CVE-2016-0701, CVE-2016-0800, CVE-2016-2107, CVE-2016-2176, CVE-2016-2179, CVE-2016-2181, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. ScreenOS: ScreenOS is potentially affected by many of these issues.
ScreenOS is not affected by CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3196, CVE-2015-3197, CVE-2016-0701, CVE-2016-2107, CVE-2016-2109, CVE-2016-2179, CVE-2016-2181, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. Junos Space: Junos Space is potentially affected by many of these issues. Junos Space is not affected by CVE-2015-1794, CVE-2016-0705, CVE-2016-0798, CVE-2016-2176, CVE-2015-3193, CVE-2015-3196, CVE-2016-0701, CVE-2016-2107, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. NSM: NSM is potentially affected by many of these issues. NSM is not affected by CVE-2015-1794, CVE-2016-0705, CVE-2016-0798, CVE-2016-2176, CVE-2015-3193, CVE-2015-3196, CVE-2016-0701, CVE-2016-2107, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. Juniper Secure Analytics (JSA, STRM): STRM, JSA series is potentially affected by these issues. CTPView/CTPOS: CTPView and CTPOS are potentially affected by many these issues.

CTPView and CTPOS are not affected by CVE-2015-1794, CVE-2016-0705, CVE-2016-0798, CVE-2016-2176, CVE-2015-3193, CVE-2015-3196, CVE-2016-0701, CVE-2016-2107, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. Junos OS: OpenSSL December 2015 advisory: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 and CVE-2015-1794 are resolved in 12.1X44-D60, 12.1X46-D45, 12.1X46-D51, 12.1X47-D35, 12.3R12, 12.3R13, 12.3X48-D25, 13.2X51-D40, 13.3R9, 14.1R7, 14.1X53-D35, 14.2R6, 15.1F5, 15.1R3, 15.1X49-D40, 15.1X53-D35, 16.1R1 and all subsequent releases (PR 1144520). OpenSSL March 2016 advisory: CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703 and CVE-2016-0704 are resolved in 13.3R10*, 14.1R8, 14.1X53-D40*, 14.2R7, 15.1F5-S4, 15.1F6, 15.1R4, 15.1X49-D60, 15.1X53-D50, 16.1R1 and all subsequent releases (PR 1165523, 1165570). OpenSSL May 2016 advisory: CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-2180 are resolved in 13.3R10*, 14.1R9*, 14.1X53-D40*, 14.2R8*, 15.1F5-S4, 15.1F6-S2, 15.1R4, 15.1X53-D50, 15.1X53-D60, 16.1R1 and all subsequent releases.

Fixes are in progress for other supported Junos releases (PR 1180391). OpenSSL June to September 2016 advisories: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052 are resolved in 13.3R10*, 14.1R9*, 14.2R8*, 15.1R5*, 16.1R4* and all subsequent releases.

Fixes are in progress for other supported Junos releases (PR 1216923). CVE-2016-2108 was resolved when fixes for OpenSSL Advisories in June and July 2015 were implemented in Junos.

At that time OpenSSL version was upgraded to 1.0.1p in Junos 13.3 and later releases which included a fix for this issue. Please see JSA10694​ for solution releases. Note: * - These Junos releases are pending release at the time of publication. Note: While Junos is not affected or impacted by certain CVEs, fixes for those get included with the relevant OpenSSL version upgrade. Hence these are stated as resolved. ScreenOS: CVE-2015-3195 is resolved in 6.3.0r22.

This issue is being tracked as PR 1144749. Please see JSA10733 further details. Rest of the applicable issues in OpenSSL advisories until May 2016 in have been resolved in ScreenOS 6.3.0r23.

These issues are being tracked as PRs 1180504 and 1165796. Fixes for issues in OpenSSL advisories from June to September are being tracked as PR 1217005. Junos Space: OpenSSL software has been upgraded to 1.0.1t in Junos Space 16.1R1 (pending release) to resolve all the issues included in OpenSSL advisories until May 2016.

These issues are being tracked as PRs 1144741, 1158268, 1165853, 1180505, 1212590. Fixes for issues in OpenSSL advisories from June to September are being tracked as PR 1216998. NSM: OpenSSL software has been upgraded to 1.0.2h in NSM 2012.2R13 to resolve all the issues included in OpenSSL advisories until May 2016.

This upgrade is being tracked as PR 1198397. Fixes for issues in OpenSSL advisories from June to September are being tracked as PR 1217003. Juniper Secure Analytics (JSA, STRM): OpenSSL December 2015 and March 2016 advisories: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794, CVE-2015-3193, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799 and CVE-2016-0800 have been resolved in 2014.6.R4.A resolution for other issues is pending release.These issues are being tracked as PR 1151137, 1165861. CTPView CVE-2015-3194 and CVE-2015-3195 have been resolved in 7.1R3, 7.2R1 and all subsequent releases (PR 1144746). CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0797, CVE-2016-0799 and CVE-2016-0800 have been resolved in 7.1R3, 7.2R2, 7.3R1 and all subsequent releases (PR 1165849). CTPOS CVE-2015-3194 and CVE-2015-3195 have been resolved in 7.2R1 and all subsequent releases (PR 1144964). CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0797, CVE-2016-0799 and CVE-2016-0800 have been resolved in 7.0R7, 7.1R3, 7.2R2, 7.3R1 and all subsequent releases (PR 1165847). Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) may protect against any remote malicious attacks. Junos OS Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes Limit access to J-Web and XNM-SSL from only trusted networks ScreenOS Methods to reduce the risk associated with this issue include: Limit access to SSL ports to only trusted hosts. Disabling web administrative services will mitigate the risk of this issue:unset int eth0/0 manage web Refer to KB6713 for enabling SSH on the firewall. General Mitigation It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the HTTPS or SSL/TLS services only from trusted, administrative networks or hosts.
EnlargeCurious Expeditions reader comments 4 Share this story Google Play was recently found to be hosting more than 400 apps that turned infected phones into listening posts that could siphon sensitive data out of the protected networks they connected to, security researchers said Thursday. One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server.

The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network.

Trend Micro has found 3,000 such apps in all, 400 of which were available through Play. Enlarge "This malware allows threat actors to infiltrate a user's network environment," Thursday's report stated. "If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard." The report continued: The malware installs a SOCKS proxy on the device, building a general purpose tunnel that can control and give commands to the device.
It can be used to turn devices into bots and build a botnet, which is essentially a network of slave devices that can be used for a variety of schemes like distributed denial-of-service (DDoS) attacks—which have become an increasingly severe problem for organizations worldwide—or spam email campaigns.

The botnet can use the proxied IP addresses also generated by the malware to create fake traffic, disguise ad clicks, and generate revenue for the attackers. Google representatives didn't immediately respond to e-mail seeking comment for this post. Trend Micro's report comes three weeks after researchers from separate security firm Checkpoint said they detected 40 DressCode-infected apps in Google Play. Trend said that only a small portion of each malicious app contained the malicious functions, a feature that makes detection difficult.
In 2012, Google introduced a cloud-based security scanner called Bouncer that scours Play for malicious apps.
Since then, thousands of malicious apps have been detected by researchers.

This raises a question: if outside parties can find them, why can't Google find them first?
Details An update to Red Hat JBoss Web Server 2.1.1 httpd Bug 1305580 - httpd supplied jb-ews-2-for-rhel-6-server-rpms deplist is missingapr-util-ldap Solution Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Updated packages JBoss Enterprise Web Server v2 EL6 SRPMS: httpd-2.2.26-55.ep6.el6.src.rpm     MD5: ba8c66a2fd6e6d4965c68c0de9418f00SHA-256: 9d65d4f8b60d97626b513fd73aa251a0b988d23a47865a16d9283e68afb4f436   IA-32: httpd-2.2.26-55.ep6.el6.i386.rpm     MD5: 56427f1ab2facc339fc91fab4cebddcdSHA-256: 95b0b6118ad2b50a185433f702e5a38bcda2fe6ee629477e749be6f231798257 httpd-devel-2.2.26-55.ep6.el6.i386.rpm     MD5: 47d5cd20b70139a30048e27789bc3262SHA-256: df307c567419276352369e302de428a2a69d4f62997d52797334ab140c3c09f5 httpd-manual-2.2.26-55.ep6.el6.i386.rpm     MD5: bad91deb1052bd88f96d96caab424373SHA-256: 01470a52be23ea6dbb38540151974c89257b7ca8030b468afd4db6be5cbd611b httpd-tools-2.2.26-55.ep6.el6.i386.rpm     MD5: 15ea1d2b5bc7dc86ca5a4782805f6ce9SHA-256: 6cf80b287d7bb720ac84aa0e4cf024a8a2c14a2d6379c1b09c0646cea75d33a4 mod_ldap-2.2.26-55.ep6.el6.i386.rpm     MD5: 56dabbe3a71f73faa1174a5e23931f14SHA-256: 38218bb61f7eb4d33941cff7e8ab1723e4aaa2a9e29611836a70b934247120cd mod_ssl-2.2.26-55.ep6.el6.i386.rpm     MD5: 7c9d9bbdcd2dda8ce27fc155ec38a322SHA-256: d2738bfbccfac6bc69f7d6422878f47290d5ca8d0c872cf3b4b1767b38f9acdd   x86_64: httpd-2.2.26-55.ep6.el6.x86_64.rpm     MD5: 53174cf0321b838e39c68e8dbc5fdc7eSHA-256: be52b07b3546bec6f7dc9b704e98fe02785806956fec6d1536767279a88e75f0 httpd-devel-2.2.26-55.ep6.el6.x86_64.rpm     MD5: df9397ea8b5816f3e3c886d5e61686b3SHA-256: 6eaaa0dcd70653bfa3ea26497b33e023ff5067f3e3cb961b7a3f8029596844f8 httpd-manual-2.2.26-55.ep6.el6.x86_64.rpm     MD5: 102f5798b26e03c8ae0572934d0a1a2bSHA-256: c3cbe8b3f54a7569369a39a0e42c4c08c8503fbf1288f8845136c2b103c5f9ed httpd-tools-2.2.26-55.ep6.el6.x86_64.rpm     MD5: 3a5111e271161ae17d457174c5e0916bSHA-256: 980a19ddea01bdf17272f0cd17159e8f0921a55e7a1a2f15a3bd26d4c7171a49 mod_ldap-2.2.26-55.ep6.el6.x86_64.rpm     MD5: 82c9f80ea199cae7ef161018a169ed6bSHA-256: 523547e83619263b9abb38ac1926b6b1b0847b2d80b4cdfbdf429e079bd57dec mod_ssl-2.2.26-55.ep6.el6.x86_64.rpm     MD5: 60075fced3be4b72da0e7951846dbfdeSHA-256: 35933b44ffa56cc4c1a6549c642869d471be056e5a1746588824e484b26b1e69   (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 1305580 - httpd supplied jb-ews-2-for-rhel-6-server-rpms deplist is missing apr-util-ldap These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
An update is now available for Red Hat JBoss Enterprise Web Server 2.1 forRHEL 6.Red Hat Product Security has rated this update as having a security impactof Important.

A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set ofcomponents for hosting Java web applications.
It is comprised of the ApacheHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the TomcatNative library.This release serves as a replacement for Red Hat JBoss Web Server 2.1.0,and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1Release Notes, linked to in the References section, for information on themost significant of these changes.All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 6are advised to upgrade to Red Hat JBoss Web Server 2.1.1.

The JBoss serverprocess must be restarted for this update to take effect.Security Fix(es):* It was discovered that httpd used the value of the Proxy header from HTTPrequests to initialize the HTTP_PROXY environment variable for CGI scripts,which in turn was incorrectly used by certain HTTP client implementationsto configure the proxy for outgoing HTTP requests.

A remote attacker couldpossibly use this flaw to redirect HTTP requests performed by a CGI scriptto an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-5387)* An integer overflow flaw, leading to a buffer overflow, was found in theway the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts ofinput data.

A remote attacker could use this flaw to crash an applicationusing OpenSSL or, possibly, execute arbitrary code with the permissions ofthe user running that application. (CVE-2016-2105)* An integer overflow flaw, leading to a buffer overflow, was found in theway the EVP_EncryptUpdate() function of OpenSSL parsed very large amountsof input data.

A remote attacker could use this flaw to crash anapplication using OpenSSL or, possibly, execute arbitrary code with thepermissions of the user running that application. (CVE-2016-2106)* It was discovered that it is possible to remotely Segfault Apache httpserver with a specially crafted string sent to the mod_cluster via servicemessages (MCMP). (CVE-2016-3110)Red Hat would like to thank Scott Geary (VendHQ) for reportingCVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 andCVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110.Upstream acknowledges Guido Vranken as the original reporter ofCVE-2016-2105 and CVE-2016-2106. Before applying the update, back up your existing Red Hat JBoss Web Serverinstallation (including all applications and configuration files).For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258For the update to take effect, all services linked to the OpenSSL librarymust be restarted, or the system rebooted.

After installing the updatedpackages, the httpd daemon will be restarted automatically.Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for alist of non security related fixes.JBoss Enterprise Web Server v2 EL6 SRPMS: httpd-2.2.26-54.ep6.el6.src.rpm     MD5: eea764698b146f592541c89c33f1750fSHA-256: 500e2f71d7ec5bfdc3a06bc409c1c153295dc9ac19d3cb94b104dd4636492110 jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm     MD5: 963dc03d1a02d317a679000b14fac02aSHA-256: ac5b23430a44667cd0792bb73c6f3c366d4450d6239e7025095bcc72fb165513 mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.src.rpm     MD5: 8050428d6463af5430e28e70c3d7b474SHA-256: 3a72fb0b75092e961a40017f108538ac289199dfef358bf50597f22f64f9d505 mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.src.rpm     MD5: 7398b0838abe76a7fef1ef7978b274beSHA-256: 13f719c9842b1ff8c1bf8a216599ca2e53cb412fec11035cc83ae20e3fe9ade8 mod_jk-1.2.41-2.redhat_3.ep6.el6.src.rpm     MD5: d6596e425e28c4e92b2261a820dd0e0aSHA-256: 071f674b58df13281c7c39dde9a2b14b99272795373a5ce7d628d704d191df01 tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm     MD5: d28d971ae5736394f7fbb125b0e05ed0SHA-256: f36bf2dafa5e715c97cf1a516f944bb4c6f2b98be1199f15b7508191d100b8ad   IA-32: httpd-2.2.26-54.ep6.el6.i386.rpm     MD5: 2f620897fde7952deda0559fd9f9249dSHA-256: 2ef8cdddf64eee31651657bad31abec8e607dc46b7f4c698351d74a261462d61 httpd-devel-2.2.26-54.ep6.el6.i386.rpm     MD5: b32fe0a48b47ff99c52df86da99d17b3SHA-256: 04722287bb04ab20e50386340906e15279f5acc197ec64adf1ebbc406586e335 httpd-manual-2.2.26-54.ep6.el6.i386.rpm     MD5: acfd1db3e2a03fb7572c761363845758SHA-256: 953df274cb9193c9cab480f8ecd8af48dda6e2d63de6bd4a3dd39e2c0499cd9a httpd-tools-2.2.26-54.ep6.el6.i386.rpm     MD5: 02d0d90b97b00d7d2973040e8e5ed6ecSHA-256: ea1765628eb3e4d08020227c0506b5b3adfa021b31e774f8879af06921b3ecff jbcs-httpd24-1-3.jbcs.el6.noarch.rpm     MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 7f161860ac4557d0d1ac61a8bfe3852aSHA-256: 45b0aad95e6c5e6031e26e36865970c1948cf1a881b0c4e5680468e1a06c49d7 jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 2b2acec99c551418e47a6fe8223c16bdSHA-256: f5ddc2a4bc86f5ec40f932aceeaf4d87eb1c012a300b4e2ffd11bfd2fecd7ba8 jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 66978755c0f3ff07731c6e7de5017920SHA-256: ec9f2c353d7f1b3ebbe453ff5eb170304839f6ba4b98d903b1008100e98faa60 jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm     MD5: 688b86a5500ec07141d70794c6633408SHA-256: e093d1532b16a8ad66a36413fcbfcd0e2b190d555c40308ca70f984cfa35d22d jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm     MD5: fb5353cbf563d1d9c999709f4bcad07aSHA-256: 4e06824b17e7bfe3a69c968517b2573bb38977b93ed1cc6ec3bd9616ab3c4101 jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm     MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865 mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm     MD5: 726be4ff11c8d5071f5b7a05a15df4acSHA-256: fb69cc69b1ddbf4253f0b8232c9ee8191b4e1c1c9baa27eb0dd247ed0a654151 mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm     MD5: 0960a08b41ef13c51794bc2b3fcb7056SHA-256: ed043fcb58bce264b360afbd457eddfd9039dab8ff491d8f46ccdf567c6e6caf mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm     MD5: 343b039081656533e9eaa79f39704ad7SHA-256: fe6253a930f33cf98a8eae8be88440559edabc13dbdb409a99517e9017fb6c4a mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm     MD5: fd5163a84832db605e8fc01558c580f1SHA-256: dde11443657f40051c1b698086ad5bab49663bab081636d1a8b4571fe0aa2dc6 mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.i386.rpm     MD5: 584f2b9b2d6d104c4cca872c92ccca28SHA-256: a8038e44ab60da75b612201793949a5079c6863f0337536589166885649d85c5 mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.i386.rpm     MD5: d9cf6573fbceaf0bfd77ddd0992ca501SHA-256: bb2f5b6bb3907d866e3fea62aea319730aa06a55f13f716ce2cecfc418f8d334 mod_ssl-2.2.26-54.ep6.el6.i386.rpm     MD5: ad1a0f3f8f4f5203d4171c787f90dcb0SHA-256: 2a5fd27067edc19626604ef553a5490f8a7eba49da369c3043d7a4a7c306779e tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm     MD5: f5ea8e1260998850436ff0c0d84e63b7SHA-256: d6e7500e9781ff94436a46aec1b0facc37d61429f80bcc9d4696ecfafe7aaac4   x86_64: httpd-2.2.26-54.ep6.el6.x86_64.rpm     MD5: 91556faf775acf8a5f130099cb076275SHA-256: 65a1e179b6e455b73a9aa23929f65fda99c2283cf33e0f6cb96f362efd9b2197 httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm     MD5: b00a921577b49c18ea2578e2444b4278SHA-256: 4e5e0e62a3e47307ca75d23e9fb8a97a117163a46d11911e7f926210a86a5a43 httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm     MD5: 456777fc9cfbc7052cab5513cac10c49SHA-256: 8b0470615c47fafc22b9b08eecde0eca9f88371822869e76bbc2935a178a17fa httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm     MD5: b5451282b70f72e3ffb4e850837b83edSHA-256: 4aeb4ecadcca0e06707fd6ef87a629067f353061dd4016c2bbe2115e51f00774 jbcs-httpd24-1-3.jbcs.el6.noarch.rpm     MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 411ce2397cddf77a882ddbebcd8a0762SHA-256: 86225769181a6677c8ec92ac74db4281b41e73f0a782cb426867a50b6a0289ac jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: a8cdf0f72326e9801671c00af0594d4cSHA-256: 2f558d2b55fa44f8df23471b4d6e2bb67dbf6b05348d2fbe9d414248a93e687d jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 03a954c4787d3ccce6dbb131b922f110SHA-256: 62186db1184d1a37129d44771eeab73630109c5e3fa54f7d2e38e35ad1a98712 jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 7598560deaba3370c3c85f83d6ab980eSHA-256: 588505e83e4e8d4e75d54b7faa1d4e727159d0a98f83b2dad73b6aa2026bb379 jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm     MD5: 5f827452f347852789e667798d8964beSHA-256: 744051dbab7f5ad2d3157fdfa904452f51974219f1d66ca4976012e5142a5719 jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm     MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865 mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm     MD5: 726be4ff11c8d5071f5b7a05a15df4acSHA-256: fb69cc69b1ddbf4253f0b8232c9ee8191b4e1c1c9baa27eb0dd247ed0a654151 mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm     MD5: 6781a0b7d7c6fbaa720289b367e169ebSHA-256: e67be895b7a3e8f2eec5211052d2dccb6dfd3323ad9884d4abe520b7c881c537 mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm     MD5: 343b039081656533e9eaa79f39704ad7SHA-256: fe6253a930f33cf98a8eae8be88440559edabc13dbdb409a99517e9017fb6c4a mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm     MD5: fd5163a84832db605e8fc01558c580f1SHA-256: dde11443657f40051c1b698086ad5bab49663bab081636d1a8b4571fe0aa2dc6 mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm     MD5: ac5114b1ab597246b3cbdc1628f4dba1SHA-256: dd7dd5f7bd57c078160587a45c225ed97e6f713f5ede61468611d3e69f63d9a5 mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm     MD5: 768bc1f160d26d9175c901837b0f305aSHA-256: 11ecf9a96e1d788bb4f16492e9688d91ab564f1ec684834f599e9964258c50d1 mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm     MD5: 6d218955f6ac6f6bb493467e2b9d6606SHA-256: e345df4f891e8278366a86e5db014d660c8306877aaa3357e9bb6e3af5cab6f4 tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm     MD5: 272492dd826b88ad6bdb5e60d114b42dSHA-256: c66e650acf0a08d8088bec04e59c683358a115185820b1801ca677b7d612f71b   (The unlinked packages above are only available from the Red Hat Network) 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow1337151 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0]1337155 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0]1337396 - EWS 2.1.1 Tracker Bug for EL61353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]1366541 - RPM: RHEL6: httpd service is not starting, LD_LIBRARY_PATH needs to be set These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables Original Release date: 18 Jul 2016 | Last revised: 19 Jul 2016 Overview Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables.

This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts. Description CWE-807: Reliance on Untrusted Inputs in a Security Decision, CWE-454: External Initialization of Trusted Variables or Data Stores Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables.

The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."According to the researchers, a web server is vulnerable if: A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable). A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely). By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.

For more information, refer to httpoxy.org. Impact A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. Solution Apply an updateWhere applicable, affected products and components should be updated to address this vulnerability.

Check with vendors for information about patching.Where patches are unavailable or updating is not an option, consider the following workarounds. Filter Proxy request headersThe researchers and community have identified several filtering strategies that are product-dependent: Apache/CGIIn this configuration, any language may be vulnerable (the HTTP_PROXY env var is "real").
If you are using mod_headers , you can unset the "Proxy" header with this directive:    RequestHeader unset ProxyIf you are using mod_security, you can use a rule like (vary the action to taste):    SecRuleEngine On    SecRule &REQUEST_HEADERS:Proxy "@gt 0"    "id:1000005,log,deny,msg:'httpoxy denied'"Refer to Apache's response for more information.HAProxy    httprequest delheader Proxy lighttpd <= 1.4.40 (reject requests containing "Proxy" header)Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:    if (lighty.request["Proxy"] == nil) then return 0 else return 403 endModify lighttpd.conf to load mod_magnet and run lua code    server.modules += ( "mod_magnet" )   magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )lighttpd2 (development) (strip "Proxy" header from request)Add to lighttpd.conf:    req_header.remove "Proxy"; Nginx/FastCGIUse this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.    fastcgi_param HTTP_PROXY ""; Nginx with proxy_passThe following setting should work for people who are using "proxy_pass" with nginx:    proxy_set_header Proxy ""; Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:Microsoft IIS Mitigation steps:Update apphost.config with the following rule:<system.webServer>   <rewrite>        <rules>            <rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">                <match url=3D"*.*" />                <serverVariables>                    <set name=3D"HTTP_PROXY" value=3D"" />                </serverVariables>                <action type=3D"None" />            </rule>        </rules>    </rewrite></system.webServer> Vendor Information (Learn More) Vendor Status Date Notified Date Updated Apache HTTP Server Project Affected 12 Jul 2016 18 Jul 2016 Go Programming Language Affected - 18 Jul 2016 HAProxy Affected - 13 Jul 2016 HHVM Affected - 18 Jul 2016 lighttpd Affected - 19 Jul 2016 Microsoft Corporation Affected 12 Jul 2016 13 Jul 2016 nginx Affected - 13 Jul 2016 Python Affected - 18 Jul 2016 The PHP Group Affected - 18 Jul 2016 EfficientIP SAS Not Affected 12 Jul 2016 12 Jul 2016 ACCESS Unknown 12 Jul 2016 12 Jul 2016 Alcatel-Lucent Unknown 12 Jul 2016 12 Jul 2016 Apple Unknown 12 Jul 2016 12 Jul 2016 Arista Networks, Inc. Unknown 12 Jul 2016 12 Jul 2016 ARRIS Unknown 12 Jul 2016 12 Jul 2016 If you are a vendor and your product is affected, let us know.View More »CVSS Metrics (Learn More) Group Score Vector Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Temporal 4.6 E:POC/RL:ND/RC:C Environmental 1.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND References Credit Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability. This document was written by Joel Land. Other Information Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.