Hi Troy, On Oct 2, 2009, at 18:39, Troy Dawson wrote: > Hi Klaus and Stephan, > Two problems I see with the kernel for 5.3.z > 1 - Can't find it publically yet sadly, that hasn't changed, so it's not actually an option. I stopped checking for it, and we're rolling out -164.2.1 - so far to some 300 systems (PCs, compute nodes, Xen Servers [with the xen update] and PVMs, and some fileservers including one serving ~10 TB of pre-5.4 XFS space). No problems encountered yet. But then we're not using NFSv4. Cheers, Stephan > 2 - It doesn't address the security concern that is with the new > kernel. It only addresses the security concerns with the original > 5.4 kernel. > > 2.6.18-128.8.1.el5 (5.3.z kernel) > CVE-2009-2847 CVE-2009-2848 > > 2.6.18-164.el5 (5.4 original kernel) > CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 > CVE-2009-0748 CVE-2009-2847 CVE-2009-2848 > > 2.6.18-164.2.1.el5 (5.4 latest kernel) > CVE-2009-2849 > > Are these show stoppers and we shouldn't release the 5.3.z kernel? > Still up for debate in my opinion. > > Troy > > Stephan Wiesand wrote: >> Hi Klaus, >> On Fri, 2009-10-02 at 14:04 +0200, Klaus Steinberger wrote: >>> Hi Troy, >>> >>> did you notice, that there is probably also a errata kernel for 5.3 >> yes, I think that's the one we really want. Alas, I couldn't find the >> SRPM in a public place yet. >> Cheers, >> Stephan >>> Sincerly, >>> Klaus >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Liebe Kolleginnen und Kollegen, >>> >>> soeben erreichte uns nachfolgendes RedHat Security Advisory. Wir >>> geben >>> diese Informationen unveraendert an Sie weiter. >>> >>> CVE-2009-2847 - Linux Kernelfunktion do_sigaltstack() saeubert >>> Padding >>> Daten nicht >>> >>> Auf 64-Bit Architekturen enthaelt die Datenstruktur des Signal >>> Stacks >>> einige Padding Bytes. Diese werden von der Linux Kernelfunktion >>> do_sigaltstack() nicht geloescht, wenn die Datenstruktur nach dem >>> Aufruf an den Benutzer zurueckgegeben wird. Lokale Angreifer >>> koennen >>> dadurch einen Teil des Kernel Speicherbereichs auslesen und so an >>> evtl. vertrauliche Informationen gelangen. >>> >>> CVE-2009-2848 - Fehler im Linux execve() System Call >>> >>> Unter bestimmten Umstaenden wird im Linux execve() System Call der >>> "current->clear_child_tid" Pointer nicht geloescht, was beim >>> Anlegen >>> und Loeschen von Threads dazu fuehrt, das Datenstrukturen im >>> Kernel >>> ueberschrieben werden, falls die Threads mit den Flags >>> CLONE_CHILD_SETTID oder CLONE_CHILD_CLEARTID angelegt werden. Ein >>> lokaler Angreifer kann dies zu einem Denial of Service Angriff >>> ausnutzen. >>> >>> Betroffen sind die folgenden Software Pakete und Plattformen: >>> >>> Paket kernel >>> >>> Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch, >>> ppc, >>> s390x, x86_64 >>> >>> >>> Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt. >>> >>> Hersteller Advisory: >>> https://rhn.redhat.com/errata/RHSA-2009-1466.html >>> >>> >>> (c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die >>> Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den >>> Urheber, >>> DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken >>> gestattet. >>> >>> Mit freundlichen Gruessen, >>> Detlev O. Matthies >>> >>> - -- >>> >>> Detlev O. Matthies, M.Sc. (Incident Response Team) >>> >>> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 >>> 808077-555 >>> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE >>> 232129737 >>> Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter >>> Kossakowski >>> >>> Automatische Warnmeldungen https://www.cert.dfn.de/autowarn >>> >>> - -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> = >>> ==================================================================== >>> Red Hat Security Advisory >>> >>> Synopsis: Important: kernel security and bug fix update >>> Advisory ID: RHSA-2009:1466-01 >>> Product: Red Hat Enterprise Linux >>> Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1466.html >>> Issue date: 2009-09-29 >>> CVE Names: CVE-2009-2847 CVE-2009-2848 >>> = >>> ==================================================================== >>> >>> 1. Summary: >>> >>> Updated kernel packages that fix two security issues and several >>> bugs are >>> now available for Red Hat Enterprise Linux 5.3 Extended Update >>> Support. >>> >>> This update has been rated as having important security impact by >>> the Red >>> Hat Security Response Team. >>> >>> 2. Relevant releases/architectures: >>> >>> Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch, >>> ppc, s390x, x86_64 >>> >>> 3. Description: >>> >>> The kernel packages contain the Linux kernel, the core of any Linux >>> operating system. >>> >>> This update includes backported fixes for two security issues. >>> These issues >>> only affected users of Red Hat Enterprise Linux 5.3 Extended >>> Update Support >>> as they have already been addressed for users of Red Hat >>> Enterprise Linux 5 >>> in the 5.4 update, RHSA-2009:1243. >>> >>> In accordance with the support policy, future security updates to >>> Red Hat >>> Enterprise Linux 5.3 Extended Update Support will only include >>> issues of >>> critical security impact. >>> >>> This update fixes the following security issues: >>> >>> * it was discovered that, when executing a new process, the >>> clear_child_tid >>> pointer in the Linux kernel is not cleared. If this pointer points >>> to a >>> writable portion of the memory of the new program, the kernel >>> could corrupt >>> four bytes of memory, possibly leading to a local denial of >>> service or >>> privilege escalation. (CVE-2009-2848, Important) >>> >>> * a flaw was found in the way the do_sigaltstack() function in the >>> Linux >>> kernel copies the stack_t structure to user-space. On 64-bit >>> machines, this >>> flaw could lead to a four-byte information leak. (CVE-2009-2847, >>> Moderate) >>> >>> This update also fixes the following bugs: >>> >>> * a regression was found in the SCSI retry logic: SCSI mode select >>> was not >>> retried when retryable errors were encountered. In Device-Mapper >>> Multipath >>> environments, this could cause paths to fail, or possibly prevent >>> successful failover. (BZ#506905) >>> >>> * the gcc flag "-fno-delete-null-pointer-checks" was added to the >>> kernel >>> build options. This prevents gcc from optimizing out NULL pointer >>> checks >>> after the first use of a pointer. NULL pointer bugs are often >>> exploited by >>> attackers, and keeping these checks is considered a safety measure. >>> (BZ#515468) >>> >>> * due to incorrect APIC timer calibration, a system hang could have >>> occurred while booting certain systems. This incorrect timer >>> calibration >>> could have also caused the system time to become faster or slower. >>> With >>> this update, it is still possible for APIC timer calibration >>> issues to >>> occur; however, a clear warning is now provided if they do. >>> (BZ#521237) >>> >>> * gettimeofday() experienced poor performance (which caused >>> performance >>> problems for applications using gettimeofday()) when running on >>> hypervisors >>> that use hardware assisted virtualization. With this update, >>> MFENCE/LFENCE >>> is used instead of CPUID for gettimeofday() serialization, which >>> resolves >>> this issue. (BZ#523280) >>> >>> Users should upgrade to these updated packages, which contain >>> backported >>> patches to correct these issues. The system must be rebooted for >>> this >>> update to take effect. >>> >>> 4. Solution: >>> >>> Before applying this update, make sure that all previously-released >>> errata relevant to your system have been applied. >>> >>> This update is available via Red Hat Network. Details on how to use >>> the Red Hat Network to apply this update are available at >>> http://kbase.redhat.com/faq/docs/DOC-11259 >>> >>> 5. Bugs fixed (http://bugzilla.redhat.com/): >>> >>> 506905 - LTC 49790: Sync up SCSI DH code with mainline changes >>> [rhel-5.3.z] >>> 515392 - CVE-2009-2847 kernel: information leak in sigaltstack >>> 515423 - CVE-2009-2848 kernel: execve: must clear current- >>> >clear_child_tid >>> 515468 - kernel: build with -fno-delete-null-pointer-checks >>> [rhel-5.3.z] >>> 521237 - [RHEL 5] Hang on boot due to wrong APIC timer calibration >>> [rhel-5.3.z] >>> 523280 - RFE: improve gettimeofday performance on hypervisors >>> [rhel-5.3.z] >>> >>> 6. Package List: >>> >>> Red Hat Enterprise Linux (v. 5.3.z server): >>> >>> i386: >>> kernel-2.6.18-128.8.1.el5.i686.rpm >>> kernel-PAE-2.6.18-128.8.1.el5.i686.rpm >>> kernel-PAE-debuginfo-2.6.18-128.8.1.el5.i686.rpm >>> kernel-PAE-devel-2.6.18-128.8.1.el5.i686.rpm >>> kernel-debug-2.6.18-128.8.1.el5.i686.rpm >>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.i686.rpm >>> kernel-debug-devel-2.6.18-128.8.1.el5.i686.rpm >>> kernel-debuginfo-2.6.18-128.8.1.el5.i686.rpm >>> kernel-debuginfo-common-2.6.18-128.8.1.el5.i686.rpm >>> kernel-devel-2.6.18-128.8.1.el5.i686.rpm >>> kernel-headers-2.6.18-128.8.1.el5.i386.rpm >>> kernel-xen-2.6.18-128.8.1.el5.i686.rpm >>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.i686.rpm >>> kernel-xen-devel-2.6.18-128.8.1.el5.i686.rpm >>> >>> ia64: >>> kernel-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-debug-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-debug-devel-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-debuginfo-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-debuginfo-common-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-devel-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-headers-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-xen-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.ia64.rpm >>> kernel-xen-devel-2.6.18-128.8.1.el5.ia64.rpm >>> >>> noarch: >>> kernel-doc-2.6.18-128.8.1.el5.noarch.rpm >>> >>> ppc: >>> kernel-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-debug-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-debug-devel-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-debuginfo-common-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-devel-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-headers-2.6.18-128.8.1.el5.ppc.rpm >>> kernel-headers-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-kdump-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm >>> kernel-kdump-devel-2.6.18-128.8.1.el5.ppc64.rpm >>> >>> s390x: >>> kernel-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-debug-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-debug-devel-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-debuginfo-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-debuginfo-common-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-devel-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-headers-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-kdump-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.s390x.rpm >>> kernel-kdump-devel-2.6.18-128.8.1.el5.s390x.rpm >>> >>> x86_64: >>> kernel-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-debug-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-debug-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-debug-devel-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-debuginfo-common-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-devel-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-headers-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-xen-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-xen-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm >>> kernel-xen-devel-2.6.18-128.8.1.el5.x86_64.rpm >>> >>> These packages are GPG signed by Red Hat for security. Our key and >>> details on how to verify the signature are available from >>> https://www.redhat.com/security/team/key/#package >>> >>> 7. References: >>> >>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847 >>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848 >>> http://www.redhat.com/security/updates/classification/#important >>> >>> 8. Contact: >>> >>> The Red Hat security contact is <[log in to unmask]>. More contact >>> details at https://www.redhat.com/security/team/contact/ >>> > > > -- > __________________________________________________ > Troy Dawson [log in to unmask] (630)840-6468 > Fermilab ComputingDivision/LCSI/CSI LMSS Group > __________________________________________________ -- Stephan Wiesand DESY - DV - Platanenallee 6 15738 Zeuthen, Germany