Synopsis: Important: libcgroup security update Issue date: 2011-03-03 CVE Names: CVE-2011-1006 CVE-2011-1022 A heap-based buffer overflow flaw was found in the way libcgroup converted a list of user-provided controllers for a particular task into an array of strings. A local attacker could use this flaw to escalate their privileges via a specially-crafted list of controllers. (CVE-2011-1006) It was discovered that libcgroup did not properly check the origin of Netlink messages. A local attacker could use this flaw to send crafted Netlink messages to the cgrulesengd daemon, causing it to put processes into one or more existing control groups, based on the attacker's choosing, possibly allowing the particular tasks to run with more resources (memory, CPU, etc.) than originally intended. (CVE-2011-1022) SL 6.x SRPMS: libcgroup-0.36.1-6.el6_0.1.src.rpm i386: libcgroup-0.36.1-6.el6_0.1.i686.rpm libcgroup-devel-0.36.1-6.el6_0.1.i686.rpm libcgroup-pam-0.36.1-6.el6_0.1.i686.rpm x86_64: libcgroup-0.36.1-6.el6_0.1.i686.rpm libcgroup-0.36.1-6.el6_0.1.x86_64.rpm libcgroup-devel-0.36.1-6.el6_0.1.i686.rpm libcgroup-devel-0.36.1-6.el6_0.1.x86_64.rpm libcgroup-pam-0.36.1-6.el6_0.1.i686.rpm libcgroup-pam-0.36.1-6.el6_0.1.x86_64.rpm -Connie Sieh -Troy Dawson