LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: TESTING - kernel for SL5
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Fri, 9 Oct 2009 18:23:33 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (362 lines)
Hi Troy,

On Oct 2, 2009, at 18:39, Troy Dawson wrote:

> Hi Klaus and Stephan,
> Two problems I see with the kernel for 5.3.z
> 1 - Can't find it publically yet

sadly, that hasn't changed, so it's not actually an option. I stopped  
checking for it, and we're rolling out -164.2.1 - so far to some 300  
systems (PCs, compute nodes, Xen Servers [with the xen update] and  
PVMs, and some fileservers including one serving ~10 TB of pre-5.4 XFS  
space). No problems encountered yet. But then we're not using NFSv4.

Cheers,
	Stephan

> 2 - It doesn't address the security concern that is with the new  
> kernel.  It only addresses the security concerns with the original  
> 5.4 kernel.
>
> 2.6.18-128.8.1.el5 (5.3.z kernel)
> CVE-2009-2847 CVE-2009-2848
>
> 2.6.18-164.el5 (5.4 original kernel)
> CVE-2009-0745 CVE-2009-0746 CVE-2009-0747
> CVE-2009-0748 CVE-2009-2847 CVE-2009-2848
>
> 2.6.18-164.2.1.el5 (5.4 latest kernel)
> CVE-2009-2849
>
> Are these show stoppers and we shouldn't release the 5.3.z kernel?
> Still up for debate in my opinion.
>
> Troy
>
> Stephan Wiesand wrote:
>> Hi Klaus,
>> On Fri, 2009-10-02 at 14:04 +0200, Klaus Steinberger wrote:
>>> Hi Troy,
>>>
>>> did you notice, that there is probably also a errata kernel for 5.3
>> yes, I think that's the one we really want. Alas, I couldn't find the
>> SRPM in a public place yet.
>> Cheers,
>> 	Stephan
>>> Sincerly,
>>> Klaus
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Liebe Kolleginnen und Kollegen,
>>>
>>> soeben erreichte uns nachfolgendes RedHat Security Advisory. Wir  
>>> geben
>>> diese Informationen unveraendert an Sie weiter.
>>>
>>> CVE-2009-2847 - Linux Kernelfunktion do_sigaltstack() saeubert  
>>> Padding
>>> Daten nicht
>>>
>>>   Auf 64-Bit Architekturen enthaelt die Datenstruktur des Signal  
>>> Stacks
>>>   einige Padding Bytes. Diese werden von der Linux Kernelfunktion
>>>   do_sigaltstack() nicht geloescht, wenn die Datenstruktur nach dem
>>>   Aufruf an den Benutzer zurueckgegeben wird. Lokale Angreifer  
>>> koennen
>>>   dadurch einen Teil des Kernel Speicherbereichs auslesen und so an
>>>   evtl. vertrauliche Informationen gelangen.
>>>
>>> CVE-2009-2848 - Fehler im Linux execve() System Call
>>>
>>>   Unter bestimmten Umstaenden wird im Linux execve() System Call der
>>>   "current->clear_child_tid" Pointer nicht geloescht, was beim  
>>> Anlegen
>>>   und Loeschen von Threads dazu fuehrt, das Datenstrukturen im  
>>> Kernel
>>>   ueberschrieben werden, falls die Threads mit den Flags
>>>   CLONE_CHILD_SETTID oder CLONE_CHILD_CLEARTID angelegt werden. Ein
>>>   lokaler Angreifer kann dies zu einem Denial of Service Angriff
>>>   ausnutzen.
>>>
>>> Betroffen sind die folgenden Software Pakete und Plattformen:
>>>
>>>   Paket kernel
>>>
>>>   Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch,  
>>> ppc,
>>>   s390x, x86_64
>>>
>>>
>>> Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
>>>
>>> Hersteller Advisory:
>>>   https://rhn.redhat.com/errata/RHSA-2009-1466.html
>>>
>>>
>>> (c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
>>> Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den  
>>> Urheber,
>>> DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
>>> gestattet.
>>>
>>> Mit freundlichen Gruessen,
>>>         Detlev O. Matthies
>>>
>>> - --
>>>
>>> Detlev O. Matthies, M.Sc. (Incident Response Team)
>>>
>>> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40  
>>> 808077-555
>>> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE  
>>> 232129737
>>> Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter  
>>> Kossakowski
>>>
>>> Automatische Warnmeldungen               https://www.cert.dfn.de/autowarn
>>>
>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> = 
>>> ====================================================================
>>>                    Red Hat Security Advisory
>>>
>>> Synopsis:          Important: kernel security and bug fix update
>>> Advisory ID:       RHSA-2009:1466-01
>>> Product:           Red Hat Enterprise Linux
>>> Advisory URL:      https://rhn.redhat.com/errata/RHSA-2009-1466.html
>>> Issue date:        2009-09-29
>>> CVE Names:         CVE-2009-2847 CVE-2009-2848
>>> = 
>>> ====================================================================
>>>
>>> 1. Summary:
>>>
>>> Updated kernel packages that fix two security issues and several  
>>> bugs are
>>> now available for Red Hat Enterprise Linux 5.3 Extended Update  
>>> Support.
>>>
>>> This update has been rated as having important security impact by  
>>> the Red
>>> Hat Security Response Team.
>>>
>>> 2. Relevant releases/architectures:
>>>
>>> Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch,  
>>> ppc, s390x, x86_64
>>>
>>> 3. Description:
>>>
>>> The kernel packages contain the Linux kernel, the core of any Linux
>>> operating system.
>>>
>>> This update includes backported fixes for two security issues.  
>>> These issues
>>> only affected users of Red Hat Enterprise Linux 5.3 Extended  
>>> Update Support
>>> as they have already been addressed for users of Red Hat  
>>> Enterprise Linux 5
>>> in the 5.4 update, RHSA-2009:1243.
>>>
>>> In accordance with the support policy, future security updates to  
>>> Red Hat
>>> Enterprise Linux 5.3 Extended Update Support will only include  
>>> issues of
>>> critical security impact.
>>>
>>> This update fixes the following security issues:
>>>
>>> * it was discovered that, when executing a new process, the  
>>> clear_child_tid
>>> pointer in the Linux kernel is not cleared. If this pointer points  
>>> to a
>>> writable portion of the memory of the new program, the kernel  
>>> could corrupt
>>> four bytes of memory, possibly leading to a local denial of  
>>> service or
>>> privilege escalation. (CVE-2009-2848, Important)
>>>
>>> * a flaw was found in the way the do_sigaltstack() function in the  
>>> Linux
>>> kernel copies the stack_t structure to user-space. On 64-bit  
>>> machines, this
>>> flaw could lead to a four-byte information leak. (CVE-2009-2847,  
>>> Moderate)
>>>
>>> This update also fixes the following bugs:
>>>
>>> * a regression was found in the SCSI retry logic: SCSI mode select  
>>> was not
>>> retried when retryable errors were encountered. In Device-Mapper  
>>> Multipath
>>> environments, this could cause paths to fail, or possibly prevent
>>> successful failover. (BZ#506905)
>>>
>>> * the gcc flag "-fno-delete-null-pointer-checks" was added to the  
>>> kernel
>>> build options. This prevents gcc from optimizing out NULL pointer  
>>> checks
>>> after the first use of a pointer. NULL pointer bugs are often  
>>> exploited by
>>> attackers, and keeping these checks is considered a safety measure.
>>> (BZ#515468)
>>>
>>> * due to incorrect APIC timer calibration, a system hang could have
>>> occurred while booting certain systems. This incorrect timer  
>>> calibration
>>> could have also caused the system time to become faster or slower.  
>>> With
>>> this update, it is still possible for APIC timer calibration  
>>> issues to
>>> occur; however, a clear warning is now provided if they do.  
>>> (BZ#521237)
>>>
>>> * gettimeofday() experienced poor performance (which caused  
>>> performance
>>> problems for applications using gettimeofday()) when running on  
>>> hypervisors
>>> that use hardware assisted virtualization. With this update,  
>>> MFENCE/LFENCE
>>> is used instead of CPUID for gettimeofday() serialization, which  
>>> resolves
>>> this issue. (BZ#523280)
>>>
>>> Users should upgrade to these updated packages, which contain  
>>> backported
>>> patches to correct these issues. The system must be rebooted for  
>>> this
>>> update to take effect.
>>>
>>> 4. Solution:
>>>
>>> Before applying this update, make sure that all previously-released
>>> errata relevant to your system have been applied.
>>>
>>> This update is available via Red Hat Network.  Details on how to use
>>> the Red Hat Network to apply this update are available at
>>> http://kbase.redhat.com/faq/docs/DOC-11259
>>>
>>> 5. Bugs fixed (http://bugzilla.redhat.com/):
>>>
>>> 506905 - LTC 49790: Sync up SCSI DH code with mainline changes  
>>> [rhel-5.3.z]
>>> 515392 - CVE-2009-2847 kernel: information leak in sigaltstack
>>> 515423 - CVE-2009-2848 kernel: execve: must clear current- 
>>> >clear_child_tid
>>> 515468 - kernel: build with -fno-delete-null-pointer-checks  
>>> [rhel-5.3.z]
>>> 521237 - [RHEL 5] Hang on boot due to wrong APIC timer calibration  
>>> [rhel-5.3.z]
>>> 523280 - RFE: improve gettimeofday performance on hypervisors  
>>> [rhel-5.3.z]
>>>
>>> 6. Package List:
>>>
>>> Red Hat Enterprise Linux (v. 5.3.z server):
>>>
>>> i386:
>>> kernel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-PAE-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-PAE-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-PAE-devel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.i386.rpm
>>> kernel-xen-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.i686.rpm
>>> kernel-xen-devel-2.6.18-128.8.1.el5.i686.rpm
>>>
>>> ia64:
>>> kernel-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-xen-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
>>> kernel-xen-devel-2.6.18-128.8.1.el5.ia64.rpm
>>>
>>> noarch:
>>> kernel-doc-2.6.18-128.8.1.el5.noarch.rpm
>>>
>>> ppc:
>>> kernel-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.ppc.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-kdump-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
>>> kernel-kdump-devel-2.6.18-128.8.1.el5.ppc64.rpm
>>>
>>> s390x:
>>> kernel-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-kdump-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
>>> kernel-kdump-devel-2.6.18-128.8.1.el5.s390x.rpm
>>>
>>> x86_64:
>>> kernel-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debug-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debug-devel-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-debuginfo-common-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-devel-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-headers-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-xen-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
>>> kernel-xen-devel-2.6.18-128.8.1.el5.x86_64.rpm
>>>
>>> These packages are GPG signed by Red Hat for security.  Our key and
>>> details on how to verify the signature are available from
>>> https://www.redhat.com/security/team/key/#package
>>>
>>> 7. References:
>>>
>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
>>> http://www.redhat.com/security/updates/classification/#important
>>>
>>> 8. Contact:
>>>
>>> The Red Hat security contact is <[log in to unmask]>.  More contact
>>> details at https://www.redhat.com/security/team/contact/
>>>
>
>
> -- 
> __________________________________________________
> Troy Dawson  [log in to unmask]  (630)840-6468
> Fermilab  ComputingDivision/LCSI/CSI LMSS Group
> __________________________________________________

-- 
Stephan Wiesand
   DESY - DV -
   Platanenallee 6
   15738 Zeuthen, Germany
ATOM RSS1 RSS2
LISTSERV.FNAL.GOV