What Are You Looking For?

Sign Up
Date:         Thu, 6 Nov 2008 11:30:47 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA for kernel on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis: Important: kernel security and bug fix update
Issue date: 2008-11-04
CVE Names: CVE-2006-5755 CVE-2007-5907 CVE-2008-2372
                 CVE-2008-3276 CVE-2008-3527 CVE-2008-3833
                 CVE-2008-4210 CVE-2008-4302


* the Xen implementation did not prevent applications running in a
para-virtualized guest from modifying CR4 TSC. This could cause a local
denial of service. (CVE-2007-5907, Important)

* Tavis Ormandy reported missing boundary checks in the Virtual Dynamic
Shared Objects (vDSO) implementation. This could allow a local unprivileged
user to cause a denial of service or escalate privileges. (CVE-2008-3527,
Important)

* the do_truncate() and generic_file_splice_write() functions did not clear
the setuid and setgid bits. This could allow a local unprivileged user to
obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833,
Important)

* a flaw was found in the Linux kernel splice implementation. This could
cause a local denial of service when there is a certain failure in the
add_to_page_cache_lru() function. (CVE-2008-4302, Important)

* a flaw was found in the Linux kernel when running on AMD64 systems.
During a context switch, EFLAGS were being neither saved nor restored. This
could allow a local unprivileged user to cause a denial of service.
(CVE-2006-5755, Low)

* a flaw was found in the Linux kernel virtual memory implementation. This
could allow a local unprivileged user to cause a denial of service.
(CVE-2008-2372, Low)

* an integer overflow was discovered in the Linux kernel Datagram
Congestion Control Protocol (DCCP) implementation. This could allow a
remote attacker to cause a denial of service. By default, remote DCCP is
blocked by SELinux. (CVE-2008-3276, Low)

In addition, these updated packages fix the following bugs:

* random32() seeding has been improved.

* in a multi-core environment, a race between the QP async event-handler
and the destro_qp() function could occur. This led to unpredictable results
during invalid memory access, which could lead to a kernel crash.

* a format string was omitted in the call to the request_module() function.

* a stack overflow caused by an infinite recursion bug in the binfmt_misc
kernel module was corrected.

* the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for
scatterlist usage before calling kmap_atomic().

* a sentinel NUL byte was added to the device_write() function to ensure
that lspace.name is NUL-terminated.

* in the character device driver, a range_is_allowed() check was added to
the read_mem() and write_mem() functions. It was possible for an
illegitimate application to bypass these checks, and access /dev/mem beyond
the 1M limit by calling mmap_mem() instead. Also, the parameters of
range_is_allowed() were changed to cleanly handle greater than 32-bits of
physical address on 32-bit architectures.

* some of the newer Nehalem-based systems declare their CPU DSDT entries as
type "Alias". During boot, this caused an "Error attaching device data"
message to be logged.

* the evtchn event channel device lacked locks and memory barriers. This
has led to xenstore becoming unresponsive on the Itanium=AE architecture.

* sending of gratuitous ARP packets in the Xen frontend network driver is
now delayed until the backend signals that its carrier status has been
processed by the stack.

* on forcedeth devices, whenever setting ethtool parameters for link speed,
the device could stop receiving interrupts.

* the CIFS 'forcedirectio' option did not allow text to be appended to files.

* the gettimeofday() function returned a backwards time on Intel=AE 64.

* residual-count corrections during UNDERRUN handling were added to the
qla2xxx driver.

* the fix for a small quirk was removed for certain Adaptec controllers for
which it caused problems.

* the "xm trigger init" command caused a domain panic if a userland
application was running on a guest on the Intel=AE 64 architecture.

SL 5.x

    SRPMS:
kernel-2.6.18-92.1.17.el5.src.rpm
    i386:
kernel-2.6.18-92.1.17.el5.i686.rpm
kernel-debug-2.6.18-92.1.17.el5.i686.rpm
kernel-debug-devel-2.6.18-92.1.17.el5.i686.rpm
kernel-devel-2.6.18-92.1.17.el5.i686.rpm
kernel-doc-2.6.18-92.1.17.el5.noarch.rpm
kernel-headers-2.6.18-92.1.17.el5.i386.rpm
kernel-PAE-2.6.18-92.1.17.el5.i686.rpm
kernel-PAE-devel-2.6.18-92.1.17.el5.i686.rpm
kernel-xen-2.6.18-92.1.17.el5.i686.rpm
kernel-xen-devel-2.6.18-92.1.17.el5.i686.rpm
   Dependancies:
kernel-module-fuse-2.6.18-92.1.17.el5-2.6.3-1.sl5.i686.rpm
kernel-module-fuse-2.6.18-92.1.17.el5PAE-2.6.3-1.sl5.i686.rpm
kernel-module-fuse-2.6.18-92.1.17.el5xen-2.6.3-1.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-92.1.17.el5-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-92.1.17.el5PAE-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-92.1.17.el5xen-1.2.0-2.sl5.i686.rpm
kernel-module-madwifi-2.6.18-92.1.17.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-92.1.17.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-92.1.17.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-92.1.17.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.i686.rpm
kernel-module-ndiswrapper-2.6.18-92.1.17.el5-1.53-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-92.1.17.el5PAE-1.53-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-92.1.17.el5xen-1.53-1.SL.i686.rpm
kernel-module-openafs-2.6.18-92.1.17.el5-1.4.7-68.SL5.i686.rpm
kernel-module-openafs-2.6.18-92.1.17.el5PAE-1.4.7-68.SL5.i686.rpm
kernel-module-openafs-2.6.18-92.1.17.el5xen-1.4.7-68.SL5.i686.rpm
kernel-module-xfs-2.6.18-92.1.17.el5-0.4-1.sl5.i686.rpm
kernel-module-xfs-2.6.18-92.1.17.el5PAE-0.4-1.sl5.i686.rpm
kernel-module-xfs-2.6.18-92.1.17.el5xen-0.4-1.sl5.i686.rpm

    x86_64:
kernel-2.6.18-92.1.17.el5.x86_64.rpm
kernel-debug-2.6.18-92.1.17.el5.x86_64.rpm
kernel-debug-devel-2.6.18-92.1.17.el5.x86_64.rpm
kernel-devel-2.6.18-92.1.17.el5.x86_64.rpm
kernel-doc-2.6.18-92.1.17.el5.noarch.rpm
kernel-headers-2.6.18-92.1.17.el5.x86_64.rpm
kernel-xen-2.6.18-92.1.17.el5.x86_64.rpm
kernel-xen-devel-2.6.18-92.1.17.el5.x86_64.rpm
   Dependancies:
kernel-module-fuse-2.6.18-92.1.17.el5-2.6.3-1.sl5.x86_64.rpm
kernel-module-fuse-2.6.18-92.1.17.el5xen-2.6.3-1.sl5.x86_64.rpm
kernel-module-ipw3945-2.6.18-92.1.17.el5-1.2.0-2.sl5.x86_64.rpm
kernel-module-ipw3945-2.6.18-92.1.17.el5xen-1.2.0-2.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-92.1.17.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-92.1.17.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-92.1.17.el5-1.53-1.SL.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-92.1.17.el5xen-1.53-1.SL.x86_64.rpm
kernel-module-openafs-2.6.18-92.1.17.el5-1.4.7-68.SL5.x86_64.rpm
kernel-module-openafs-2.6.18-92.1.17.el5xen-1.4.7-68.SL5.x86_64.rpm
kernel-module-xfs-2.6.18-92.1.17.el5-0.4-1.sl5.x86_64.rpm
kernel-module-xfs-2.6.18-92.1.17.el5xen-0.4-1.sl5.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2006-5755 kernel SL5.x i386/x86_64

Important: kernel security and bug fix update

Summary

Date:         Thu, 6 Nov 2008 11:30:47 -0600Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA for kernel on SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov"          Synopsis: Important: kernel security and bug fix updateIssue date: 2008-11-04CVE Names: CVE-2006-5755 CVE-2007-5907 CVE-2008-2372                 CVE-2008-3276 CVE-2008-3527 CVE-2008-3833                 CVE-2008-4210 CVE-2008-4302* the Xen implementation did not prevent applications running in apara-virtualized guest from modifying CR4 TSC. This could cause a localdenial of service. (CVE-2007-5907, Important)* Tavis Ormandy reported missing boundary checks in the Virtual DynamicShared Objects (vDSO) implementation. This could allow a local unprivilegeduser to cause a denial of service or escalate privileges. (CVE-2008-3527,Important)* the do_truncate() and generic_file_splice_write() functions did not clearthe setuid and setgid bits. This could allow a local unprivileged user toobtain access to privileged information. (CVE-2008-4210, CVE-2008-3833,Important)* a flaw was found in the Linux kernel splice implementation. This couldcause a local denial of service when there is a certain failure in theadd_to_page_cache_lru() function. (CVE-2008-4302, Important)* a flaw was found in the Linux kernel when running on AMD64 systems.During a context switch, EFLAGS were being neither saved nor restored. Thiscould allow a local unprivileged user to cause a denial of service.(CVE-2006-5755, Low)* a flaw was found in the Linux kernel virtual memory implementation. Thiscould allow a local unprivileged user to cause a denial of service.(CVE-2008-2372, Low)* an integer overflow was discovered in the Linux kernel DatagramCongestion Control Protocol (DCCP) implementation. This could allow aremote attacker to cause a denial of service. By default, remote DCCP isblocked by SELinux. (CVE-2008-3276, Low)In addition, these updated packages fix the following bugs:* random32() seeding has been improved.* in a multi-core environment, a race between the QP async event-handlerand the destro_qp() function could occur. This led to unpredictable resultsduring invalid memory access, which could lead to a kernel crash.* a format string was omitted in the call to the request_module() function.* a stack overflow caused by an infinite recursion bug in the binfmt_misckernel module was corrected.* the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check forscatterlist usage before calling kmap_atomic().* a sentinel NUL byte was added to the device_write() function to ensurethat lspace.name is NUL-terminated.* in the character device driver, a range_is_allowed() check was added tothe read_mem() and write_mem() functions. It was possible for anillegitimate application to bypass these checks, and access /dev/mem beyondthe 1M limit by calling mmap_mem() instead. Also, the parameters ofrange_is_allowed() were changed to cleanly handle greater than 32-bits ofphysical address on 32-bit architectures.* some of the newer Nehalem-based systems declare their CPU DSDT entries astype "Alias". During boot, this caused an "Error attaching device data"message to be logged.* the evtchn event channel device lacked locks and memory barriers. Thishas led to xenstore becoming unresponsive on the Itanium=AE architecture.* sending of gratuitous ARP packets in the Xen frontend network driver isnow delayed until the backend signals that its carrier status has beenprocessed by the stack.* on forcedeth devices, whenever setting ethtool parameters for link speed,the device could stop receiving interrupts.* the CIFS 'forcedirectio' option did not allow text to be appended to files.* the gettimeofday() function returned a backwards time on Intel=AE 64.* residual-count corrections during UNDERRUN handling were added to theqla2xxx driver.* the fix for a small quirk was removed for certain Adaptec controllers forwhich it caused problems.* the "xm trigger init" command caused a domain panic if a userlandapplication was running on a guest on the Intel=AE 64 architecture.SL 5.x    SRPMS:kernel-2.6.18-92.1.17.el5.src.rpm    i386:kernel-2.6.18-92.1.17.el5.i686.rpmkernel-debug-2.6.18-92.1.17.el5.i686.rpmkernel-debug-devel-2.6.18-92.1.17.el5.i686.rpmkernel-devel-2.6.18-92.1.17.el5.i686.rpmkernel-doc-2.6.18-92.1.17.el5.noarch.rpmkernel-headers-2.6.18-92.1.17.el5.i386.rpmkernel-PAE-2.6.18-92.1.17.el5.i686.rpmkernel-PAE-devel-2.6.18-92.1.17.el5.i686.rpmkernel-xen-2.6.18-92.1.17.el5.i686.rpmkernel-xen-devel-2.6.18-92.1.17.el5.i686.rpm   Dependancies:kernel-module-fuse-2.6.18-92.1.17.el5-2.6.3-1.sl5.i686.rpmkernel-module-fuse-2.6.18-92.1.17.el5PAE-2.6.3-1.sl5.i686.rpmkernel-module-fuse-2.6.18-92.1.17.el5xen-2.6.3-1.sl5.i686.rpmkernel-module-ipw3945-2.6.18-92.1.17.el5-1.2.0-2.sl5.i686.rpmkernel-module-ipw3945-2.6.18-92.1.17.el5PAE-1.2.0-2.sl5.i686.rpmkernel-module-ipw3945-2.6.18-92.1.17.el5xen-1.2.0-2.sl5.i686.rpmkernel-module-madwifi-2.6.18-92.1.17.el5-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-2.6.18-92.1.17.el5PAE-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-92.1.17.el5-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-92.1.17.el5PAE-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.i686.rpmkernel-module-ndiswrapper-2.6.18-92.1.17.el5-1.53-1.SL.i686.rpmkernel-module-ndiswrapper-2.6.18-92.1.17.el5PAE-1.53-1.SL.i686.rpmkernel-module-ndiswrapper-2.6.18-92.1.17.el5xen-1.53-1.SL.i686.rpmkernel-module-openafs-2.6.18-92.1.17.el5-1.4.7-68.SL5.i686.rpmkernel-module-openafs-2.6.18-92.1.17.el5PAE-1.4.7-68.SL5.i686.rpmkernel-module-openafs-2.6.18-92.1.17.el5xen-1.4.7-68.SL5.i686.rpmkernel-module-xfs-2.6.18-92.1.17.el5-0.4-1.sl5.i686.rpmkernel-module-xfs-2.6.18-92.1.17.el5PAE-0.4-1.sl5.i686.rpmkernel-module-xfs-2.6.18-92.1.17.el5xen-0.4-1.sl5.i686.rpm    x86_64:kernel-2.6.18-92.1.17.el5.x86_64.rpmkernel-debug-2.6.18-92.1.17.el5.x86_64.rpmkernel-debug-devel-2.6.18-92.1.17.el5.x86_64.rpmkernel-devel-2.6.18-92.1.17.el5.x86_64.rpmkernel-doc-2.6.18-92.1.17.el5.noarch.rpmkernel-headers-2.6.18-92.1.17.el5.x86_64.rpmkernel-xen-2.6.18-92.1.17.el5.x86_64.rpmkernel-xen-devel-2.6.18-92.1.17.el5.x86_64.rpm   Dependancies:kernel-module-fuse-2.6.18-92.1.17.el5-2.6.3-1.sl5.x86_64.rpmkernel-module-fuse-2.6.18-92.1.17.el5xen-2.6.3-1.sl5.x86_64.rpmkernel-module-ipw3945-2.6.18-92.1.17.el5-1.2.0-2.sl5.x86_64.rpmkernel-module-ipw3945-2.6.18-92.1.17.el5xen-1.2.0-2.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-92.1.17.el5-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-92.1.17.el5-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-92.1.17.el5xen-0.9.4-15.sl5.x86_64.rpmkernel-module-ndiswrapper-2.6.18-92.1.17.el5-1.53-1.SL.x86_64.rpmkernel-module-ndiswrapper-2.6.18-92.1.17.el5xen-1.53-1.SL.x86_64.rpmkernel-module-openafs-2.6.18-92.1.17.el5-1.4.7-68.SL5.x86_64.rpmkernel-module-openafs-2.6.18-92.1.17.el5xen-1.4.7-68.SL5.x86_64.rpmkernel-module-xfs-2.6.18-92.1.17.el5-0.4-1.sl5.x86_64.rpmkernel-module-xfs-2.6.18-92.1.17.el5xen-0.4-1.sl5.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity

Related News

Security Highlights from KubeCon + CloudNativeCon 2023

Nov 18, 2023

Kubernetes Security on AWS: A Practical Guide

Nov 18, 2023

Nitrux 3.2.0 Linux Distro Released with Enhanced Security and New Features

Nov 28, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

News

Advisories

HOWTOs

Features

Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses
Scanning and Defending Networks with Nmap
CISA Issues Urgent Warning Over Active Exploitation of Looney Tunables glibc Bug

About Us

Powered By

Footer Logo