Hi Troy,
On Oct 2, 2009, at 18:39, Troy Dawson wrote:
> Hi Klaus and Stephan,
> Two problems I see with the kernel for 5.3.z
> 1 - Can't find it publically yet
sadly, that hasn't changed, so it's not actually an option. I stopped
checking for it, and we're rolling out -164.2.1 - so far to some 300
systems (PCs, compute nodes, Xen Servers [with the xen update] and
PVMs, and some fileservers including one serving ~10 TB of pre-5.4 XFS
space). No problems encountered yet. But then we're not using NFSv4.
Cheers,
Stephan
> 2 - It doesn't address the security concern that is with the new
> kernel. It only addresses the security concerns with the original
> 5.4 kernel.
>
> 2.6.18-128.8.1.el5 (5.3.z kernel)
> CVE-2009-2847 CVE-2009-2848
>
> 2.6.18-164.el5 (5.4 original kernel)
> CVE-2009-0745 CVE-2009-0746 CVE-2009-0747
> CVE-2009-0748 CVE-2009-2847 CVE-2009-2848
>
> 2.6.18-164.2.1.el5 (5.4 latest kernel)
> CVE-2009-2849
>
> Are these show stoppers and we shouldn't release the 5.3.z kernel?
> Still up for debate in my opinion.
>
> Troy
>
> Stephan Wiesand wrote:
>> Hi Klaus,
>> On Fri, 2009-10-02 at 14:04 +0200, Klaus Steinberger wrote:
>>> Hi Troy,
>>>
>>> did you notice, that there is probably also a errata kernel for 5.3
>> yes, I think that's the one we really want. Alas, I couldn't find the
>> SRPM in a public place yet.
>> Cheers,
>> Stephan
>>> Sincerly,
>>> Klaus
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Liebe Kolleginnen und Kollegen,
>>>
>>> soeben erreichte uns nachfolgendes RedHat Security Advisory. Wir
>>> geben
>>> diese Informationen unveraendert an Sie weiter.
>>>
>>> CVE-2009-2847 - Linux Kernelfunktion do_sigaltstack() saeubert
>>> Padding
>>> Daten nicht
>>>
>>> Auf 64-Bit Architekturen enthaelt die Datenstruktur des Signal
>>> Stacks
>>> einige Padding Bytes. Diese werden von der Linux Kernelfunktion
>>> do_sigaltstack() nicht geloescht, wenn die Datenstruktur nach dem
>>> Aufruf an den Benutzer zurueckgegeben wird. Lokale Angreifer
>>> koennen
>>> dadurch einen Teil des Kernel Speicherbereichs auslesen und so an
>>> evtl. vertrauliche Informationen gelangen.
>>>
>>> CVE-2009-2848 - Fehler im Linux execve() System Call
>>>
>>> Unter bestimmten Umstaenden wird im Linux execve() System Call der
>>> "current->clear_child_tid" Pointer nicht geloescht, was beim
>>> Anlegen
>>> und Loeschen von Threads dazu fuehrt, das Datenstrukturen im
>>> Kernel
>>> ueberschrieben werden, falls die Threads mit den Flags
>>> CLONE_CHILD_SETTID oder CLONE_CHILD_CLEARTID angelegt werden. Ein
>>> lokaler Angreifer kann dies zu einem Denial of Service Angriff
>>> ausnutzen.
>>>
>>> Betroffen sind die folgenden Software Pakete und Plattformen:
>>>
>>> Paket kernel
>>>
>>> Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch,
>>> ppc,
>>> s390x, x86_64
>>>
>>>
>>> Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
>>>
>>> Hersteller Advisory:
>>> https://rhn.redhat.com/errata/RHSA-2009-1466.html
>>>
>>>
>>> (c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
>>> Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den
>>> Urheber,
>>> DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
>>> gestattet.
>>>
>>> Mit freundlichen Gruessen,
>>> Detlev O. Matthies
>>>
>>> - --
>>>
>>> Detlev O. Matthies, M.Sc. (Incident Response Team)
>>>
>>> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40
>>> 808077-555
>>> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE
>>> 232129737
>>> Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter
>>> Kossakowski
>>>
>>> Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
>>>
>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> =
>>> ====================================================================
>>> Red Hat Security Advisory
>>>
>>> Synopsis: Important: kernel security and bug fix update
>>> Advisory ID: RHSA-2009:1466-01
>>> Product: Red Hat Enterprise Linux
>>> Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1466.html
>>> Issue date: 2009-09-29
>>> CVE Names: CVE-2009-2847 CVE-2009-2848
>>> =
>>> ====================================================================
>>>
>>> 1. Summary:
>>>
>>> Updated kernel packages that fix two security issues and several
>>> bugs are
>>> now available for Red Hat Enterprise Linux 5.3 Extended Update
>>> Support.
>>>
>>> This update has been rated as having important security impact by
>>> the Red
>>> Hat Security Response Team.
>>>
>>> 2. Relevant releases/architectures:
>>>
>>> Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch,
>>> ppc, s390x, x86_64
>>>
>>> 3. Description:
>>>
>>> The kernel packages contain the Linux kernel, the core of any Linux
>>> operating system.
>>>
>>> This update includes backported fixes for two security issues.
>>> These issues
>>> only affected users of Red Hat Enterprise Linux 5.3 Extended
>>> Update Support
>>> as they have already been addressed for users of Red Hat
>>> Enterprise Linux 5
>>> in the 5.4 update, RHSA-2009:1243.
>>>
>>> In accordance with the support policy, future security updates to
>>> Red Hat
>>> Enterprise Linux 5.3 Extended Update Support will only include
>>> issues of
>>> critical security impact.
>>>
>>> This update fixes the following security issues:
>>>
>>> * it was discovered that, when executing a new process, the
>>> clear_child_tid
>>> pointer in the Linux kernel is not cleared. If this pointer points
>>> to a
>>> writable portion of the memory of the new program, the kernel
>>> could corrupt
>>> four bytes of memory, possibly leading to a local denial of
>>> service or
>>> privilege escalation. (CVE-2009-2848, Important)
>>>
>>> * a flaw was found in the way the do_sigaltstack() function in the
>>> Linux
>>> kernel copies the stack_t structure to user-space. On 64-bit
>>> machines, this
>>> flaw could lead to a four-byte information leak. (CVE-2009-2847,
>>> Moderate)
>>>
>>> This update also fixes the following bugs:
>>>
>>> * a regression was found in the SCSI retry logic: SCSI mode select
>>> was not
>>> retried when retryable errors were encountered. In Device-Mapper
>>> Multipath
>>> environments, this could cause paths to fail, or possibly prevent
>>> successful failover. (BZ#506905)
>>>
>>> * the gcc flag "-fno-delete-null-pointer-checks" was added to the
>>> kernel
>>> build options. This prevents gcc from optimizing out NULL pointer
>>> checks
>>> after the first use of a pointer. NULL pointer bugs are often
>>> exploited by
>>> attackers, and keeping these checks is considered a safety measure.
>>> (BZ#515468)
>>>
>>> * due to incorrect APIC timer calibration, a system hang could have
>>> occurred while booting certain systems. This incorrect timer
>>> calibration
>>> could have also caused the system time to become faster or slower.
>>> With
>>> this update, it is still possible for APIC timer calibration
>>> issues to
>>> occur; however, a clear warning is now provided if they do.
>>> (BZ#521237)
>>>
>>> * gettimeofday() experienced poor performance (which caused
>>> performance
>>> problems for applications using gettimeofday()) when running on
>>> hypervisors
>>> that use hardware assisted virtualization. With this update,
>>> MFENCE/LFENCE
>>> is used instead of CPUID for gettimeofday() serialization, which
>>> resolves
>>> this issue. (BZ#523280)
>>>
>>> Users should upgrade to these updated packages, which contain
>>> backported
>>> patches to correct these issues. The system must be rebooted for
>>> this
>>> update to take effect.
>>>
>>> 4. Solution:
>>>
>>> Before applying this update, make sure that all previously-released
>>> errata relevant to your system have been applied.
>>>
>>> This update is available via Red Hat Network. Details on how to use
>>> the Red Hat Network to apply this update are available at
>>> http://kbase.redhat.com/faq/docs/DOC-11259
>>>
>>> 5. Bugs fixed (http://bugzilla.redhat.com/):
>>>
>>> 506905 - LTC 49790: Sync up SCSI DH code with mainline changes
>>> [rhel-5.3.z]
>>> 515392 - CVE-2009-2847 kernel: information leak in sigaltstack
>>> 515423 - CVE-2009-2848 kernel: execve: must clear current-
>>> >clear_child_tid
>>> 515468 - kernel: build with -fno-delete-null-pointer-checks
>>> [rhel-5.3.z]
>>> 521237 - [RHEL 5] Hang on boot due to wrong APIC timer calibration
>>> [rhel-5.3.z]
>>> 523280 - RFE: improve gettimeofday performance on hypervisors
>>> [rhel-5.3.z]
>>>
>>> 6. Package List:
>>>
>>> Red Hat Enterprise Linux (v. 5.3.z server):
>>>
>>> i386:
>>> kernel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-PAE-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-PAE-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-PAE-devel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.i386.rpm
>>> kernel-xen-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-xen-devel-2.6.18-128.8.1.el5.i686.rpm
>>>
>>> ia64:
>>> kernel-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-xen-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-xen-devel-2.6.18-128.8.1.el5.ia64.rpm
>>>
>>> noarch:
>>> kernel-doc-2.6.18-128.8.1.el5.noarch.rpm
>>>
>>> ppc:
>>> kernel-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.ppc.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-kdump-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-kdump-devel-2.6.18-128.8.1.el5.ppc64.rpm
>>>
>>> s390x:
>>> kernel-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-kdump-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-kdump-devel-2.6.18-128.8.1.el5.s390x.rpm
>>>
>>> x86_64:
>>> kernel-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-xen-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-xen-devel-2.6.18-128.8.1.el5.x86_64.rpm
>>>
>>> These packages are GPG signed by Red Hat for security. Our key and
>>> details on how to verify the signature are available from
>>> https://www.redhat.com/security/team/key/#package
>>>
>>> 7. References:
>>>
>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
>>> http://www.redhat.com/security/updates/classification/#important
>>>
>>> 8. Contact:
>>>
>>> The Red Hat security contact is <[log in to unmask]>. More contact
>>> details at https://www.redhat.com/security/team/contact/
>>>
>
>
> --
> __________________________________________________
> Troy Dawson [log in to unmask] (630)840-6468
> Fermilab ComputingDivision/LCSI/CSI LMSS Group
> __________________________________________________
--
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany
|