Date: 13 March 2009
References: AA-2009.0004 ESB-2009.0113 ESB-2009.0139 AA-2009.0030 ESB-2009.0263 ESB-2009.0294 ESB-2009.0309 ESB-2009.0321 ESB-2009.0431 ESB-2009.0445
ESB-2009.0488
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0239 -- [RedHat]
Important: kernel security and bug fix update
13 March 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kernel
Publisher: Red Hat
Operating System: Red Hat Linux 4
Impact: Denial of Service
Access: Existing Account
CVE Names: CVE-2009-0322 CVE-2009-0065 CVE-2009-0031
CVE-2008-5700
Ref: AA-2009.0004
AA-2009.0030
ESB-2009.0113
ESB-2009.0139
Original Bulletin: https://rhn.redhat.com/errata/RHSA-2009-0331.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: kernel security and bug fix update
Advisory ID: RHSA-2009:0331-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0331.html
Issue date: 2009-03-12
CVE Names: CVE-2008-5700 CVE-2009-0031 CVE-2009-0065
CVE-2009-0322
=====================================================================
1. Summary:
Updated kernel packages that resolve several security issues and fix
various bugs are now available for Red Hat Enterprise Linux 4.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
This update addresses the following security issues:
* a buffer overflow was found in the Linux kernel Partial Reliable Stream
Control Transmission Protocol (PR-SCTP) implementation. This could,
potentially, lead to a denial of service if a Forward-TSN chunk is received
with a large stream ID. (CVE-2009-0065, Important)
* a memory leak was found in keyctl handling. A local, unprivileged user
could use this flaw to deplete kernel memory, eventually leading to a
denial of service. (CVE-2009-0031, Important)
* a deficiency was found in the Remote BIOS Update (RBU) driver for Dell
systems. This could allow a local, unprivileged user to cause a denial of
service by reading zero bytes from the image_type or packet_size file in
"/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Important)
* a deficiency was found in the libATA implementation. This could,
potentially, lead to a denial of service. Note: by default, "/dev/sg*"
devices are accessible only to the root user. (CVE-2008-5700, Low)
This update also fixes the following bugs:
* when the hypervisor changed a page table entry (pte) mapping from
read-only to writable via a make_writable hypercall, accessing the changed
page immediately following the change caused a spurious page fault. When
trying to install a para-virtualized Red Hat Enterprise Linux 4 guest on a
Red Hat Enterprise Linux 5.3 dom0 host, this fault crashed the installer
with a kernel backtrace. With this update, the "spurious" page fault is
handled properly. (BZ#483748)
* net_rx_action could detect its cpu poll_list as non-empty, but have that
same list reduced to empty by the poll_napi path. This resulted in garbage
data being returned when net_rx_action calls list_entry, which subsequently
resulted in several possible crash conditions. The race condition in the
network code which caused this has been fixed. (BZ#475970, BZ#479681 &
BZ#480741)
* a misplaced memory barrier at unlock_buffer() could lead to a concurrent
h_refcounter update which produced a reference counter leak and, later, a
double free in ext3_xattr_release_block(). Consequent to the double free,
ext3 reported an error
ext3_free_blocks_sb: bit already cleared for block [block number]
and mounted itself as read-only. With this update, the memory barrier is
now placed before the buffer head lock bit, forcing the write order and
preventing the double free. (BZ#476533)
* when the iptables module was unloaded, it was assumed the correct entry
for removal had been found if "wrapper->ops->pf" matched the value passed
in by "reg->pf". If several ops ranges were registered against the same
protocol family, however, (which was likely if you had both ip_conntrack
and ip_contrack_* loaded) this assumption could lead to NULL list pointers
and cause a kernel panic. With this update, "wrapper->ops" is matched to
pointer values "reg", which ensures the correct entry is removed and
results in no NULL list pointers. (BZ#477147)
* when the pidmap page (used for tracking process ids, pids) incremented to
an even page (ie the second, fourth, sixth, etc. pidmap page), the
alloc_pidmap() routine skipped the page. This resulted in "holes" in the
allocated pids. For example, after pid 32767, you would expect 32768 to be
allocated. If the page skipping behavior presented, however, the pid
allocated after 32767 was 65536. With this update, alloc_pidmap() no longer
skips alternate pidmap pages and allocated pid holes no longer occur. This
fix also corrects an error which allowed pid_max to be set higher than the
pid_max limit has been corrected. (BZ#479182)
All Red Hat Enterprise Linux 4 users should upgrade to these updated
packages, which contain backported patches to resolve these issues. The
system must be rebooted for this update to take effect.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
474495 - CVE-2008-5700 kernel: enforce a minimum SG_IO timeout
475970 - oops in e1000_clean (list corruption due to race with e1000_down)
476533 - Read-only filesystem after 'ext3_free_blocks_sb: bit already cleared for block' errors
477147 - Kernel panic when unloading ip conntrack modules
478800 - CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
479182 - RHEL4 64 bit skips all pids with bit 15 set (32768-65535, 98304-131071 etc)
479681 - oops in net_rx_action on double free of dev->poll_list
480592 - CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring
480741 - RHEL4.8 kernel crashed in net_rx_action() on IA64 machine in RHTS connectathon test
482866 - CVE-2009-0322 kernel: dell_rbu local oops
483748 - rhel4 PV guest installations busted on rhel 5.3 i386 intel dom0
6. Package List:
Red Hat Enterprise Linux AS version 4:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-78.0.17.EL.src.rpm
i386:
kernel-2.6.9-78.0.17.EL.i686.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.i686.rpm
kernel-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.i686.rpm
ia64:
kernel-2.6.9-78.0.17.EL.ia64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.ia64.rpm
kernel-devel-2.6.9-78.0.17.EL.ia64.rpm
kernel-largesmp-2.6.9-78.0.17.EL.ia64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.ia64.rpm
noarch:
kernel-doc-2.6.9-78.0.17.EL.noarch.rpm
ppc:
kernel-2.6.9-78.0.17.EL.ppc64.rpm
kernel-2.6.9-78.0.17.EL.ppc64iseries.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.ppc64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.ppc64iseries.rpm
kernel-devel-2.6.9-78.0.17.EL.ppc64.rpm
kernel-devel-2.6.9-78.0.17.EL.ppc64iseries.rpm
kernel-largesmp-2.6.9-78.0.17.EL.ppc64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.ppc64.rpm
s390:
kernel-2.6.9-78.0.17.EL.s390.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.s390.rpm
kernel-devel-2.6.9-78.0.17.EL.s390.rpm
s390x:
kernel-2.6.9-78.0.17.EL.s390x.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.s390x.rpm
kernel-devel-2.6.9-78.0.17.EL.s390x.rpm
x86_64:
kernel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.x86_64.rpm
kernel-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-78.0.17.EL.src.rpm
i386:
kernel-2.6.9-78.0.17.EL.i686.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.i686.rpm
kernel-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.i686.rpm
noarch:
kernel-doc-2.6.9-78.0.17.EL.noarch.rpm
x86_64:
kernel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.x86_64.rpm
kernel-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-78.0.17.EL.src.rpm
i386:
kernel-2.6.9-78.0.17.EL.i686.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.i686.rpm
kernel-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.i686.rpm
ia64:
kernel-2.6.9-78.0.17.EL.ia64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.ia64.rpm
kernel-devel-2.6.9-78.0.17.EL.ia64.rpm
kernel-largesmp-2.6.9-78.0.17.EL.ia64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.ia64.rpm
noarch:
kernel-doc-2.6.9-78.0.17.EL.noarch.rpm
x86_64:
kernel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.x86_64.rpm
kernel-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-78.0.17.EL.src.rpm
i386:
kernel-2.6.9-78.0.17.EL.i686.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.i686.rpm
kernel-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-2.6.9-78.0.17.EL.i686.rpm
kernel-hugemem-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-2.6.9-78.0.17.EL.i686.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-2.6.9-78.0.17.EL.i686.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.i686.rpm
ia64:
kernel-2.6.9-78.0.17.EL.ia64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.ia64.rpm
kernel-devel-2.6.9-78.0.17.EL.ia64.rpm
kernel-largesmp-2.6.9-78.0.17.EL.ia64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.ia64.rpm
noarch:
kernel-doc-2.6.9-78.0.17.EL.noarch.rpm
x86_64:
kernel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-debuginfo-2.6.9-78.0.17.EL.x86_64.rpm
kernel-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-2.6.9-78.0.17.EL.x86_64.rpm
kernel-smp-devel-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-2.6.9-78.0.17.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-78.0.17.EL.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322
http://www.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2009 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFJuSG1XlSAg2UNWIIRAq4+AKC0WI0DQ5fzioWJlRaW0MyWrjS24gCfYECc
akyEDC7EwkyI0e61bLDjhVA=
=HZfD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJuaO5NVH5XJJInbgRAoJrAJ9RTkMQ1NRczLDeVecybrjSUoD50ACfdDBW
dKmJ0/t34F5EPEHql7mhK9Y=
=YIYp
-----END PGP SIGNATURE-----
|