- Update to pcp-3.6.5.
+ Fixes for security advisory CVE-2012-3418; (bnc#775009).
o Add field validation to PCP instance PDU (Red Hat #841240)
o Fix __pmDecodeInstanceReq heap buffer overflow (Red Hat #841284)
o Fix __pmDecodeText heap overflow (Red Hat #841249)
o Multiple issues in result PDU decoding (Red Hat #841159)
o Fix __pmDecodeNameReq buffer overflow (Red Hat #841180)
o Add length checks to __pmDecodeLogControl (Red Hat #841290)
o Add size check to __pmDecodeIDList (Red Hat #841112)
o Fix __pmDecodeNameList buffer overflow (Red Hat #840920)
o Add missing __pmDecodeFetch namelen checks (Red Hat #841183)
o Add length checks to __pmDecodeProfile (Red Hat #841126)
o Add length checks to __pmDecodeCreds (Red Hat #840822)
+ Workaround for security advisory CVE-2012-3419; (bnc#775010).
o Split the Linux kernel and proc PMDAs to prevent information
leakage in default installs - esp. /proc/pid/maps exposure,
but other proc metrics as well - and no longer export process
metrics by default (Red Hat #841702)
+ Fixes for security advisory CVE-2012-3420; (bnc#775011).
o Memory leak in pmcd DoFetch error path (Red Hat #841298)
o Memory leak in __pmGetPDU in-band signalling (Red Hat #841319)
+ Fixes for security advisory CVE-2012-3421; (bnc#775013).
o Resolve event-driven programming flaw in pmcd (Red Hat #841706)
+ Correct buffer unpinning logic in a PMNS traversal error path
o Red Hat bugzilla bug #847314.
+ All of the above issues were identified by Florian Weimer of the
Red Hat Security Team, who also assisted extensively in fixing
and testing; a huge thank you to Florian from all PCP developers
and users!
+ Add modern gcc/glibc security protection mechanisms where