Synopsis: Important: kernel security and bug fix update
Issue date: 2010-01-19
CVE Names: CVE-2006-6304 CVE-2009-2910 CVE-2009-3080
CVE-2009-3556 CVE-2009-3889 CVE-2009-3939
CVE-2009-4020 CVE-2009-4021 CVE-2009-4138
CVE-2009-4141 CVE-2009-4272
Security fixes:
* an array index error was found in the gdth driver. A local user could
send a specially-crafted IOCTL request that would cause a denial of
service or, possibly, privilege escalation. (CVE-2009-3080, Important)
* a flaw was found in the FUSE implementation. When a system is low on
memory, fuse_put_request() could dereference an invalid pointer,
possibly leading to a local denial of service or privilege escalation.
(CVE-2009-4021, Important)
* Tavis Ormandy discovered a deficiency in the fasync_helper()
implementation. This could allow a local, unprivileged user to leverage
a use-after-free of locked, asynchronous file descriptors to cause a
denial of service or privilege escalation. (CVE-2009-4141, Important)
* the Parallels Virtuozzo Containers team reported the RHSA-2009:1243
update introduced two flaws in the routing implementation. If an
attacker was able to cause a large enough number of collisions in the
routing hash table (via specially-crafted packets) for the emergency
route flush to trigger, a deadlock could occur. Secondly, if the kernel
routing cache was disabled, an uninitialized pointer would be left
behind after a route lookup, leading to a kernel panic. (CVE-2009-4272,
Important)
* the RHSA-2009:0225 update introduced a rewrite attack flaw in the
do_coredump() function. A local attacker able to guess the file name a
process is going to dump its core to, prior to the process crashing,
could use this flaw to append data to the dumped core file. This issue
only affects systems that have "/proc/sys/fs/suid_dumpable" set to 2
(the default value is 0). (CVE-2006-6304, Moderate)
The fix for CVE-2006-6304 changes the expected behavior: With
suid_dumpable set to 2, the core file will not be recorded if the file
already exists. For example, core files will not be overwritten on
subsequent crashes of processes whose core files map to the same name.
* an information leak was found in the Linux kernel. On AMD64 systems,
32-bit processes could access and read certain 64-bit registers by
temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)
* the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV)
support in the qla2xxx driver, resulting in two new sysfs pseudo files,
"/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete".
These two files were world-writable by default, allowing a local user to
change SCSI host attributes. This flaw only affects systems using the
qla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate)
* permission issues were found in the megaraid_sas driver. The "dbg_lvl"
and "poll_mode_io" files on the sysfs file system ("/sys/") had
world-writable permissions. This could allow local, unprivileged users
to change the behavior of the driver. (CVE-2009-3889, CVE-2009-3939,
Moderate)
* a NULL pointer dereference flaw was found in the firewire-ohci driver
used for OHCI compliant IEEE 1394 controllers. A local, unprivileged
user with access to /dev/fw* files could issue certain IOCTL calls,
causing a denial of service or privilege escalation. The FireWire
modules are blacklisted by default, and if enabled, only root has access
to the files noted above by default. (CVE-2009-4138, Moderate)
* a buffer overflow flaw was found in the hfs_bnode_read() function in
the HFS file system implementation. This could lead to a denial of
service if a user browsed a specially-crafted HFS file system, for
example, by running "ls". (CVE-2009-4020, Low)
Bug fixes:
* In rare cases, a system management interrupt (SMI) could occur during
CPU frequency calibration (during boot), resulting in the frequency
being calculated to a value larger than the CPU's specification. This
could have resulted in timer values being miscalculated and firing at
incorrect times. Note: This fix is optional. To enable the fix, the
system must be booted with the avoid_smi kernel parameter.
* In certain situations, a bug found in either the HTB or TBF network
packet schedulers in the Linux kernel could have caused a kernel panic
when using Broadcom network cards with the bnx2 driver.
* A KVM pvclock fix in the kernel-2.6.18-164.2.1.el5 update introduced a
bug: Some SMP guest operating systems experienced time drift. This could
cause problems for time-sensitive applications.
* In certain situations, kdump occasionally dumped a vmcore file with no
registers on Intel Itanium systems that were under high disk I/O load.
In these cases, this prevented the kernel stack backtrace in the vmcore
from being viewed with the crash utility.
* In certain situations, when using IP over InfiniBand and network
interface bonding, a bug in the ipoib driver in the Linux kernel caused
problems, such as packet loss and not being able to communicate with
some hosts. Restarting the network service via service network restart
temporarily resolved this issue. This update resolves this bug, and
using IP over InfiniBand and network interface bonding now works as
expected.
* A glock reference counting bug in GFS2 has been fixed. When the glock
memory shrinker run while the system was under heavy memory pressure,
the system could crash or experience very poor performance.
* Previously, when using GFS2, if two nodes concurrently updated the
same file, each node would overwrite the other node's data, as the file
position for such a file was not being updated correctly. This issue
only occurred when using open() with the O_APPEND flag, and then issuing
a write() without first performing another operation on the inode, such
as stat() or read().
* Running time ifconfig ethx up on a network interface that was under
heavy load may have triggered a soft lockup (BUG: soft lockup). This
could have possibly caused cluster nodes to be fenced.
* A logic error in the Linux kernel memory management could have caused
a BUG: sleeping function called from invalid context message on some
systems when running certain backup software or performing an LVM
snapshot, while at the same time performing a copy-on-write (COW) of a
file page.
* Detection of AMD multi-node processors could have confused
Hardware-assisted virtual machine (HVM) guests and caused a crash on
boot during identify_cpu(). This update ensures the topology information
is not used by virtual machines.
* A bug in the lpfc driver intermittently caused ports on an Emulex
Fibre Channel Host Bus Adapter (HBA) to be offlined during target
controller faults.
* Previously, if an administrator set
/proc/sys/net/ipv4/route/secret_interval to 0, and then attempted to
change the value by echoing a non-zero value to the file, the
administrator's shell would hang. This bug could have also possibly sent
other processes into an uninterpretable sleep state, and was introduced
in the kernel-2.6.18-164.el5 update.
* Under some circumstances, a locking bug could have caused an online
ext3 file system resize to deadlock, which may have, in turn, caused the
file system or the entire system to become unresponsive. In either case,
a reboot was required after the deadlock. With this update, using
resize2fs to perform an online resize of an ext3 file system works as
expected.
* Scientific Linux 5.4 guests using KVM pvclock, calling the
clock_gettime(CLOCK_REALTIME) and gettimeofday() functions in sequence
could have, in rare cases, caused clock_gettime() to return a smaller
value than gettimeofday(). If the sequence was reversed, gettimeofday()
could return a smaller value than clock_gettime(CLOCK_REALTIME). This
could cause applications to hang and use large amounts of CPU (up to
100%), or cause problems for applications that depend on timestamps to
order events. Note: This update only resolves this issue for Intel 64
and AMD64 systems. The issue can still present on i386 systems.
The system must be rebooted for this update to take effect.
Note1: Due to the fuse kernel module now being part of the kernel, we
are updating fuse on the older releases to match the fuse that was
released by The Upstream Vendor.
Note2: xfs is now part of the kernel in x86_64. Because of this there
is no kernel-module-xfs for x86_64.
Note3: ipw3945 support has been changed to iwlwifi3945 in SL 54, and is
in the kernel. Because of this there is no kernel-module-ipw3945 for SL54.
Note4: Support for the Atheros chipset in now in the kernel. We are not
sure if the infrastructure is in place for SL 50-53, so we are still
providing the madwifi kernel modules for SL 50-53.
SL 5.x
SRPMS:
kernel-2.6.18-164.11.1.el5.src.rpm
i386:
kernel-2.6.18-164.11.1.el5.i686.rpm
kernel-debug-2.6.18-164.11.1.el5.i686.rpm
kernel-debug-devel-2.6.18-164.11.1.el5.i686.rpm
kernel-devel-2.6.18-164.11.1.el5.i686.rpm
kernel-doc-2.6.18-164.11.1.el5.noarch.rpm
kernel-headers-2.6.18-164.11.1.el5.i386.rpm
kernel-PAE-2.6.18-164.11.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-164.11.1.el5.i686.rpm
kernel-xen-2.6.18-164.11.1.el5.i686.rpm
kernel-xen-devel-2.6.18-164.11.1.el5.i686.rpm
Dependancies:
kernel-module-aufs-2.6.18-164.11.1.el5-0.20090202.cvs-6.sl5.i686.rpm
kernel-module-aufs-2.6.18-164.11.1.el5PAE-0.20090202.cvs-6.sl5.i686.rpm
kernel-module-aufs-2.6.18-164.11.1.el5xen-0.20090202.cvs-6.sl5.i686.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5-1.55-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5PAE-1.55-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5xen-1.55-1.SL.i686.rpm
kernel-module-openafs-2.6.18-164.11.1.el5-1.4.11-76.sl5.i686.rpm
kernel-module-openafs-2.6.18-164.11.1.el5PAE-1.4.11-76.sl5.i686.rpm
kernel-module-openafs-2.6.18-164.11.1.el5xen-1.4.11-76.sl5.i686.rpm
kernel-module-xfs-2.6.18-164.11.1.el5-0.4-2.sl5.i686.rpm
kernel-module-xfs-2.6.18-164.11.1.el5PAE-0.4-2.sl5.i686.rpm
kernel-module-xfs-2.6.18-164.11.1.el5xen-0.4-2.sl5.i686.rpm
Dependancies for SL50,51,52,53:
kernel-module-ipw3945-2.6.18-164.11.1.el5-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-164.11.1.el5PAE-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-164.11.1.el5xen-1.2.0-2.sl5.i686.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.i686.rpm
x86_64:
kernel-2.6.18-164.11.1.el5.x86_64.rpm
kernel-debug-2.6.18-164.11.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-164.11.1.el5.x86_64.rpm
kernel-devel-2.6.18-164.11.1.el5.x86_64.rpm
kernel-doc-2.6.18-164.11.1.el5.noarch.rpm
kernel-headers-2.6.18-164.11.1.el5.x86_64.rpm
kernel-xen-2.6.18-164.11.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-164.11.1.el5.x86_64.rpm
Dependancies:
kernel-module-aufs-2.6.18-164.11.1.el5-0.20090202.cvs-6.sl5.x86_64.rpm
kernel-module-aufs-2.6.18-164.11.1.el5xen-0.20090202.cvs-6.sl5.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5-1.55-1.SL.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5xen-1.55-1.SL.x86_64.rpm
kernel-module-openafs-2.6.18-164.11.1.el5-1.4.11-76.sl5.x86_64.rpm
kernel-module-openafs-2.6.18-164.11.1.el5xen-1.4.11-76.sl5.x86_64.rpm
Dependancies for SL50,51,52,53:
kernel-module-ipw3945-2.6.18-164.11.1.el5-1.2.0-2.sl5.x86_64.rpm
kernel-module-ipw3945-2.6.18-164.11.1.el5xen-1.2.0-2.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
