Hi Klaus and Stephan, Two problems I see with the kernel for 5.3.z 1 - Can't find it publically yet 2 - It doesn't address the security concern that is with the new kernel. It only addresses the security concerns with the original 5.4 kernel. 2.6.18-128.8.1.el5 (5.3.z kernel) CVE-2009-2847 CVE-2009-2848 2.6.18-164.el5 (5.4 original kernel) CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748 CVE-2009-2847 CVE-2009-2848 2.6.18-164.2.1.el5 (5.4 latest kernel) CVE-2009-2849 Are these show stoppers and we shouldn't release the 5.3.z kernel? Still up for debate in my opinion. Troy Stephan Wiesand wrote: > Hi Klaus, > > On Fri, 2009-10-02 at 14:04 +0200, Klaus Steinberger wrote: >> Hi Troy, >> >> did you notice, that there is probably also a errata kernel for 5.3 > > yes, I think that's the one we really want. Alas, I couldn't find the > SRPM in a public place yet. > > Cheers, > Stephan > > >> Sincerly, >> Klaus >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Liebe Kolleginnen und Kollegen, >> >> soeben erreichte uns nachfolgendes RedHat Security Advisory. Wir geben >> diese Informationen unveraendert an Sie weiter. >> >> CVE-2009-2847 - Linux Kernelfunktion do_sigaltstack() saeubert Padding >> Daten nicht >> >> Auf 64-Bit Architekturen enthaelt die Datenstruktur des Signal Stacks >> einige Padding Bytes. Diese werden von der Linux Kernelfunktion >> do_sigaltstack() nicht geloescht, wenn die Datenstruktur nach dem >> Aufruf an den Benutzer zurueckgegeben wird. Lokale Angreifer koennen >> dadurch einen Teil des Kernel Speicherbereichs auslesen und so an >> evtl. vertrauliche Informationen gelangen. >> >> CVE-2009-2848 - Fehler im Linux execve() System Call >> >> Unter bestimmten Umstaenden wird im Linux execve() System Call der >> "current->clear_child_tid" Pointer nicht geloescht, was beim Anlegen >> und Loeschen von Threads dazu fuehrt, das Datenstrukturen im Kernel >> ueberschrieben werden, falls die Threads mit den Flags >> CLONE_CHILD_SETTID oder CLONE_CHILD_CLEARTID angelegt werden. Ein >> lokaler Angreifer kann dies zu einem Denial of Service Angriff >> ausnutzen. >> >> Betroffen sind die folgenden Software Pakete und Plattformen: >> >> Paket kernel >> >> Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch, ppc, >> s390x, x86_64 >> >> >> Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt. >> >> Hersteller Advisory: >> https://rhn.redhat.com/errata/RHSA-2009-1466.html >> >> >> (c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die >> Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber, >> DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken >> gestattet. >> >> Mit freundlichen Gruessen, >> Detlev O. Matthies >> >> - -- >> >> Detlev O. Matthies, M.Sc. (Incident Response Team) >> >> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 >> Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski >> >> Automatische Warnmeldungen https://www.cert.dfn.de/autowarn >> >> - -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> ===================================================================== >> Red Hat Security Advisory >> >> Synopsis: Important: kernel security and bug fix update >> Advisory ID: RHSA-2009:1466-01 >> Product: Red Hat Enterprise Linux >> Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1466.html >> Issue date: 2009-09-29 >> CVE Names: CVE-2009-2847 CVE-2009-2848 >> ===================================================================== >> >> 1. Summary: >> >> Updated kernel packages that fix two security issues and several bugs are >> now available for Red Hat Enterprise Linux 5.3 Extended Update Support. >> >> This update has been rated as having important security impact by the Red >> Hat Security Response Team. >> >> 2. Relevant releases/architectures: >> >> Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch, ppc, s390x, x86_64 >> >> 3. Description: >> >> The kernel packages contain the Linux kernel, the core of any Linux >> operating system. >> >> This update includes backported fixes for two security issues. These issues >> only affected users of Red Hat Enterprise Linux 5.3 Extended Update Support >> as they have already been addressed for users of Red Hat Enterprise Linux 5 >> in the 5.4 update, RHSA-2009:1243. >> >> In accordance with the support policy, future security updates to Red Hat >> Enterprise Linux 5.3 Extended Update Support will only include issues of >> critical security impact. >> >> This update fixes the following security issues: >> >> * it was discovered that, when executing a new process, the clear_child_tid >> pointer in the Linux kernel is not cleared. If this pointer points to a >> writable portion of the memory of the new program, the kernel could corrupt >> four bytes of memory, possibly leading to a local denial of service or >> privilege escalation. (CVE-2009-2848, Important) >> >> * a flaw was found in the way the do_sigaltstack() function in the Linux >> kernel copies the stack_t structure to user-space. On 64-bit machines, this >> flaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate) >> >> This update also fixes the following bugs: >> >> * a regression was found in the SCSI retry logic: SCSI mode select was not >> retried when retryable errors were encountered. In Device-Mapper Multipath >> environments, this could cause paths to fail, or possibly prevent >> successful failover. (BZ#506905) >> >> * the gcc flag "-fno-delete-null-pointer-checks" was added to the kernel >> build options. This prevents gcc from optimizing out NULL pointer checks >> after the first use of a pointer. NULL pointer bugs are often exploited by >> attackers, and keeping these checks is considered a safety measure. >> (BZ#515468) >> >> * due to incorrect APIC timer calibration, a system hang could have >> occurred while booting certain systems. This incorrect timer calibration >> could have also caused the system time to become faster or slower. With >> this update, it is still possible for APIC timer calibration issues to >> occur; however, a clear warning is now provided if they do. (BZ#521237) >> >> * gettimeofday() experienced poor performance (which caused performance >> problems for applications using gettimeofday()) when running on hypervisors >> that use hardware assisted virtualization. With this update, MFENCE/LFENCE >> is used instead of CPUID for gettimeofday() serialization, which resolves >> this issue. (BZ#523280) >> >> Users should upgrade to these updated packages, which contain backported >> patches to correct these issues. The system must be rebooted for this >> update to take effect. >> >> 4. Solution: >> >> Before applying this update, make sure that all previously-released >> errata relevant to your system have been applied. >> >> This update is available via Red Hat Network. Details on how to use >> the Red Hat Network to apply this update are available at >> http://kbase.redhat.com/faq/docs/DOC-11259 >> >> 5. Bugs fixed (http://bugzilla.redhat.com/): >> >> 506905 - LTC 49790: Sync up SCSI DH code with mainline changes [rhel-5.3.z] >> 515392 - CVE-2009-2847 kernel: information leak in sigaltstack >> 515423 - CVE-2009-2848 kernel: execve: must clear current->clear_child_tid >> 515468 - kernel: build with -fno-delete-null-pointer-checks [rhel-5.3.z] >> 521237 - [RHEL 5] Hang on boot due to wrong APIC timer calibration [rhel-5.3.z] >> 523280 - RFE: improve gettimeofday performance on hypervisors [rhel-5.3.z] >> >> 6. Package List: >> >> Red Hat Enterprise Linux (v. 5.3.z server): >> >> i386: >> kernel-2.6.18-128.8.1.el5.i686.rpm >> kernel-PAE-2.6.18-128.8.1.el5.i686.rpm >> kernel-PAE-debuginfo-2.6.18-128.8.1.el5.i686.rpm >> kernel-PAE-devel-2.6.18-128.8.1.el5.i686.rpm >> kernel-debug-2.6.18-128.8.1.el5.i686.rpm >> kernel-debug-debuginfo-2.6.18-128.8.1.el5.i686.rpm >> kernel-debug-devel-2.6.18-128.8.1.el5.i686.rpm >> kernel-debuginfo-2.6.18-128.8.1.el5.i686.rpm >> kernel-debuginfo-common-2.6.18-128.8.1.el5.i686.rpm >> kernel-devel-2.6.18-128.8.1.el5.i686.rpm >> kernel-headers-2.6.18-128.8.1.el5.i386.rpm >> kernel-xen-2.6.18-128.8.1.el5.i686.rpm >> kernel-xen-debuginfo-2.6.18-128.8.1.el5.i686.rpm >> kernel-xen-devel-2.6.18-128.8.1.el5.i686.rpm >> >> ia64: >> kernel-2.6.18-128.8.1.el5.ia64.rpm >> kernel-debug-2.6.18-128.8.1.el5.ia64.rpm >> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ia64.rpm >> kernel-debug-devel-2.6.18-128.8.1.el5.ia64.rpm >> kernel-debuginfo-2.6.18-128.8.1.el5.ia64.rpm >> kernel-debuginfo-common-2.6.18-128.8.1.el5.ia64.rpm >> kernel-devel-2.6.18-128.8.1.el5.ia64.rpm >> kernel-headers-2.6.18-128.8.1.el5.ia64.rpm >> kernel-xen-2.6.18-128.8.1.el5.ia64.rpm >> kernel-xen-debuginfo-2.6.18-128.8.1.el5.ia64.rpm >> kernel-xen-devel-2.6.18-128.8.1.el5.ia64.rpm >> >> noarch: >> kernel-doc-2.6.18-128.8.1.el5.noarch.rpm >> >> ppc: >> kernel-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-debug-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-debug-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-debug-devel-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-debuginfo-common-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-devel-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-headers-2.6.18-128.8.1.el5.ppc.rpm >> kernel-headers-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-kdump-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm >> kernel-kdump-devel-2.6.18-128.8.1.el5.ppc64.rpm >> >> s390x: >> kernel-2.6.18-128.8.1.el5.s390x.rpm >> kernel-debug-2.6.18-128.8.1.el5.s390x.rpm >> kernel-debug-debuginfo-2.6.18-128.8.1.el5.s390x.rpm >> kernel-debug-devel-2.6.18-128.8.1.el5.s390x.rpm >> kernel-debuginfo-2.6.18-128.8.1.el5.s390x.rpm >> kernel-debuginfo-common-2.6.18-128.8.1.el5.s390x.rpm >> kernel-devel-2.6.18-128.8.1.el5.s390x.rpm >> kernel-headers-2.6.18-128.8.1.el5.s390x.rpm >> kernel-kdump-2.6.18-128.8.1.el5.s390x.rpm >> kernel-kdump-debuginfo-2.6.18-128.8.1.el5.s390x.rpm >> kernel-kdump-devel-2.6.18-128.8.1.el5.s390x.rpm >> >> x86_64: >> kernel-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-debug-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-debug-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-debug-devel-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-debuginfo-common-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-devel-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-headers-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-xen-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-xen-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm >> kernel-xen-devel-2.6.18-128.8.1.el5.x86_64.rpm >> >> These packages are GPG signed by Red Hat for security. Our key and >> details on how to verify the signature are available from >> https://www.redhat.com/security/team/key/#package >> >> 7. References: >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847 >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848 >> http://www.redhat.com/security/updates/classification/#important >> >> 8. Contact: >> >> The Red Hat security contact is <[log in to unmask]>. More contact >> details at https://www.redhat.com/security/team/contact/ >> -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/LCSI/CSI LMSS Group __________________________________________________