AusCERT - ESB-2003.0868 -- RHSA-2003:368-01 -- Updated kernel packages address security vulnerabilities, bugfixes

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2003.0868 -- RHSA-2003:368-01 -- Updated kernel packages address security vulnerabilities, bugfixes
Date: 22 December 2003
References: ESB-2004.0008 ESB-2004.0092

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                     ESB-2003.0868 -- RHSA-2003:368-01
    Updated kernel packages address security vulnerabilities, bugfixes
                             22 December 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                kernel
Publisher:              Red Hat
Operating System:       Red Hat Enterprise Linux AS 2.1
                        Red Hat Linux Advanced Workstation 2.1
                        Red Hat Enterprise Linux ES 2.1
                        Red Hat Enterprise Linux WS 2.1
Platform:               Athlon
                        i386
                        i686
                        IA-64
Impact:                 Root Compromise
                        Read-only Data Access
Access Required:        Existing Account
CVE Names:              CAN-2003-0476 CAN-2003-0961

Comment: Please note, this ESB contains two Red Hat bulletins for various
         CPU architectures.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated IA64 kernel packages address security vulnerabilities, bugfixes
Advisory ID:       RHSA-2003:368-01
Issue date:        2003-12-19
Updated on:        2003-12-19
Product:           Red Hat Enterprise Linux
Keywords:          
Cross references:  
Obsoletes:         
CVE Names:         CAN-2003-0476 CAN-2003-0961
- - ---------------------------------------------------------------------

1. Topic:

Updated kernel packages that address several security vulnerabilites, fix a
number of bugs, and update various drivers are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - ia64
Red Hat Linux Advanced Workstation 2.1 - ia64

3. Problem description:

The Linux kernel handles the basic functions of the operating system.

A flaw in bounds checking in the do_brk() function in the Linux kernel
versions 2.4.22 and previous can allow a local attacker to gain root
privileges. This issue is known to be exploitable; an exploit (for x86
architectures) has been seen in the wild that takes advantage of this
vulnerability. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0961 to this issue.

The execve system call in Linux 2.4.x records the file descriptor of the
executable process in the file table of the calling process, which allows
local users to gain read access to restricted file descriptors.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0476 to this issue.

A hangcheck timer (which is used to detect system hangs or pauses) has been
added.

In addition, a number of drivers have been updated:

- - - e1000 5.2.20-k1
- - - cmpci 5.64
- - - aic7xxx 6.2.36
- - - aic79xx 1.3.10
- - - ips 6.10.52
- - - cciss 2.4.50
- - - fusion 2.05.05+

All users of IA64 systems should upgrade to these errata packages, which
contain patches to the 2.4.18 kernel addressing these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate.  The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

107718 - lstat() claim files owned by users with uid>64k are owned by nfsnobody
106872 - RHEL 2.1 U3:  Exposure of the EFI System Table pointers in a flat file (IPF)
101616 - RHELAS 2.1 Q3U IPF: Lazy FPH handling bug on IPF
96962 - ENSURE THAT HANGCHECK TIMER IS THERE IN THE IA64 TREE
87047 - raidstop --all option failing
106450 - Requesting updated acenic.o driver
106692 - RHEL 2.1 U3: Increase tx_queue_len parameter to 1000
90321 - fix /proc/$PID/cmdline issue
97690 - QU3 - IPF - export kernel symbol brw_kvec_async
71514 - Infinite recursion in SCSI mid layer

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kernel-2.4.18-e.40.src.rpm

ia64:
Available from Red Hat Network: kernel-2.4.18-e.40.ia64.rpm
Available from Red Hat Network: kernel-source-2.4.18-e.40.ia64.rpm
Available from Red Hat Network: kernel-doc-2.4.18-e.40.ia64.rpm
Available from Red Hat Network: kernel-smp-2.4.18-e.40.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kernel-2.4.18-e.40.src.rpm

ia64:
Available from Red Hat Network: kernel-2.4.18-e.40.ia64.rpm
Available from Red Hat Network: kernel-source-2.4.18-e.40.ia64.rpm
Available from Red Hat Network: kernel-doc-2.4.18-e.40.ia64.rpm
Available from Red Hat Network: kernel-smp-2.4.18-e.40.ia64.rpm



7. Verification:

MD5 sum                          Package Name
- - --------------------------------------------------------------------------
5f182b5ee8bb4dea7c164792d60b18d6 2.1AS/en/os/SRPMS/kernel-2.4.18-e.40.src.rpm
5f1e9ada466e179f15c80f2d4787e3ce 2.1AS/en/os/ia64/kernel-2.4.18-e.40.ia64.rpm
92121880b8845b2f6ecb77784fb678f0 2.1AS/en/os/ia64/kernel-doc-2.4.18-e.40.ia64.rpm
9d630592bb08275ea0740b05c9d9335f 2.1AS/en/os/ia64/kernel-smp-2.4.18-e.40.ia64.rpm
d6291014595cf191e8aa11390ac33fe8 2.1AS/en/os/ia64/kernel-source-2.4.18-e.40.ia64.rpm
5f182b5ee8bb4dea7c164792d60b18d6 2.1AW/en/os/SRPMS/kernel-2.4.18-e.40.src.rpm
5f1e9ada466e179f15c80f2d4787e3ce 2.1AW/en/os/ia64/kernel-2.4.18-e.40.ia64.rpm
92121880b8845b2f6ecb77784fb678f0 2.1AW/en/os/ia64/kernel-doc-2.4.18-e.40.ia64.rpm
9d630592bb08275ea0740b05c9d9335f 2.1AW/en/os/ia64/kernel-smp-2.4.18-e.40.ia64.rpm
d6291014595cf191e8aa11390ac33fe8 2.1AW/en/os/ia64/kernel-source-2.4.18-e.40.ia64.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0961

9. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/42GHXlSAg2UNWIIRApoaAJ4uku7CCtvw9gLs/YNFLjIHyvsT/ACgq64A
13mjqnKPnCqYZubhJWTz3DU=
=Vb/J
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated kernel packages address security vulnerabilities, bugfixes
Advisory ID:       RHSA-2003:408-00
Issue date:        2003-12-19
Updated on:        2003-12-19
Product:           Red Hat Enterprise Linux
Keywords:          
Cross references:  
Obsoletes:         
CVE Names:         CAN-2003-0476
- - ---------------------------------------------------------------------

1. Topic:

Updated kernel packages that address various security vulnerabilities, fix a
number of bugs, and update various drivers are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - athlon, i386, i686
Red Hat Enterprise Linux ES version 2.1 - athlon, i386, i686
Red Hat Enterprise Linux WS version 2.1 - athlon, i386, i686

3. Problem description:

The Linux kernel handles the basic functions of the operating system.  

The execve system call in Linux 2.4.x records the file descriptor of the
executable process in the file table of the calling process, which allows
local users to gain read access to restricted file descriptors.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0476 to this issue.

A number of bugfixes are included, including important fixes for the ext3
file system and timer code. 

New features include limited support for non-cached NFS file sytems, Serial
ATA (SATA) devices, and new alt-sysreq debugging options. 

In addition, the following drivers have been updated:

- - - e100 2.3.30-k1
- - - e1000 5.2.20-k1
- - - fusion 2.05.05+
- - - ips 6.10.52
- - - aic7xxx 6.2.36
- - - aic79xxx 1.3.10
- - - megaraid 2 2.00.9
- - - cciss 2.4.49

All users are advised to upgrade to these erratum packages, which contain
backported patches addressing these issues.

4. Solution:

Release notes, driver notes, and driver disks for this update are available
at the following URL:

http://www.redhat.com/support/errata/rhel/

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

The procedure for upgrading the kernel manually is documented at:

http://www.redhat.com/support/docs/howto/kernel-upgrade/

Please read the directions for your architecture carefully before
proceeding with the kernel upgrade.

Please note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. Note that you need to select the kernel
explicitly on default configurations of up2date.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

99203 - NFS tcp client retransmission with large wsize.
74516 - NFS DATA CORRUPTION
84452 - RHEL AS2.1 QU3 errata: System hangs with 2.1 AS (timer.c)
85211 - USB CDROM crashes with dd on IBM Bladecenter
75669 - SG queue function getting null pointer
90872 - md device can be stopped when it should return -EBUSY

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kernel-2.4.9-e.34.src.rpm

athlon:
Available from Red Hat Network: kernel-2.4.9-e.34.athlon.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.34.athlon.rpm

i386:
Available from Red Hat Network: kernel-source-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-doc-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-headers-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-BOOT-2.4.9-e.34.i386.rpm

i686:
Available from Red Hat Network: kernel-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-summit-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-enterprise-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-debug-2.4.9-e.34.i686.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kernel-2.4.9-e.34.src.rpm

athlon:
Available from Red Hat Network: kernel-2.4.9-e.34.athlon.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.34.athlon.rpm

i386:
Available from Red Hat Network: kernel-source-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-doc-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-headers-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-BOOT-2.4.9-e.34.i386.rpm

i686:
Available from Red Hat Network: kernel-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-debug-2.4.9-e.34.i686.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kernel-2.4.9-e.34.src.rpm

athlon:
Available from Red Hat Network: kernel-2.4.9-e.34.athlon.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.34.athlon.rpm

i386:
Available from Red Hat Network: kernel-source-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-doc-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-headers-2.4.9-e.34.i386.rpm
Available from Red Hat Network: kernel-BOOT-2.4.9-e.34.i386.rpm

i686:
Available from Red Hat Network: kernel-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-smp-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-enterprise-2.4.9-e.34.i686.rpm
Available from Red Hat Network: kernel-debug-2.4.9-e.34.i686.rpm



7. Verification:

MD5 sum                          Package Name
- - --------------------------------------------------------------------------
9a2fec8ea266a96e7e9027663567bcc8 2.1AS/en/os/SRPMS/kernel-2.4.9-e.34.src.rpm
a7f341ff87ef2ec7ac5fc98b6faf4733 2.1AS/en/os/athlon/kernel-2.4.9-e.34.athlon.rpm
314929f994c284817dba78a98f7e4ab6 2.1AS/en/os/athlon/kernel-smp-2.4.9-e.34.athlon.rpm
751dcca290aef19f97441735581f752e 2.1AS/en/os/i386/kernel-BOOT-2.4.9-e.34.i386.rpm
833b9a87e12666a7a3bab95ef0d839e5 2.1AS/en/os/i386/kernel-doc-2.4.9-e.34.i386.rpm
87333913c671d0e3e7a749de0e335e76 2.1AS/en/os/i386/kernel-headers-2.4.9-e.34.i386.rpm
a9b3d5e9d162b3a194eaf3008b0eb072 2.1AS/en/os/i386/kernel-source-2.4.9-e.34.i386.rpm
c4e713cdbc4c6073a64d75b4dad203bd 2.1AS/en/os/i686/kernel-2.4.9-e.34.i686.rpm
1234399c9c43711dac5a08d6577634ea 2.1AS/en/os/i686/kernel-debug-2.4.9-e.34.i686.rpm
4aa1653dc861991cd07554bd28e5f7e2 2.1AS/en/os/i686/kernel-enterprise-2.4.9-e.34.i686.rpm
1f51cb729dd1e51dbb42e9ba1f6a4436 2.1AS/en/os/i686/kernel-smp-2.4.9-e.34.i686.rpm
bd95e8651a275ad1e5de780e52211ba0 2.1AS/en/os/i686/kernel-summit-2.4.9-e.34.i686.rpm
9a2fec8ea266a96e7e9027663567bcc8 2.1ES/en/os/SRPMS/kernel-2.4.9-e.34.src.rpm
a7f341ff87ef2ec7ac5fc98b6faf4733 2.1ES/en/os/athlon/kernel-2.4.9-e.34.athlon.rpm
314929f994c284817dba78a98f7e4ab6 2.1ES/en/os/athlon/kernel-smp-2.4.9-e.34.athlon.rpm
751dcca290aef19f97441735581f752e 2.1ES/en/os/i386/kernel-BOOT-2.4.9-e.34.i386.rpm
833b9a87e12666a7a3bab95ef0d839e5 2.1ES/en/os/i386/kernel-doc-2.4.9-e.34.i386.rpm
87333913c671d0e3e7a749de0e335e76 2.1ES/en/os/i386/kernel-headers-2.4.9-e.34.i386.rpm
a9b3d5e9d162b3a194eaf3008b0eb072 2.1ES/en/os/i386/kernel-source-2.4.9-e.34.i386.rpm
c4e713cdbc4c6073a64d75b4dad203bd 2.1ES/en/os/i686/kernel-2.4.9-e.34.i686.rpm
1234399c9c43711dac5a08d6577634ea 2.1ES/en/os/i686/kernel-debug-2.4.9-e.34.i686.rpm
1f51cb729dd1e51dbb42e9ba1f6a4436 2.1ES/en/os/i686/kernel-smp-2.4.9-e.34.i686.rpm
9a2fec8ea266a96e7e9027663567bcc8 2.1WS/en/os/SRPMS/kernel-2.4.9-e.34.src.rpm
a7f341ff87ef2ec7ac5fc98b6faf4733 2.1WS/en/os/athlon/kernel-2.4.9-e.34.athlon.rpm
314929f994c284817dba78a98f7e4ab6 2.1WS/en/os/athlon/kernel-smp-2.4.9-e.34.athlon.rpm
751dcca290aef19f97441735581f752e 2.1WS/en/os/i386/kernel-BOOT-2.4.9-e.34.i386.rpm
833b9a87e12666a7a3bab95ef0d839e5 2.1WS/en/os/i386/kernel-doc-2.4.9-e.34.i386.rpm
87333913c671d0e3e7a749de0e335e76 2.1WS/en/os/i386/kernel-headers-2.4.9-e.34.i386.rpm
a9b3d5e9d162b3a194eaf3008b0eb072 2.1WS/en/os/i386/kernel-source-2.4.9-e.34.i386.rpm
c4e713cdbc4c6073a64d75b4dad203bd 2.1WS/en/os/i686/kernel-2.4.9-e.34.i686.rpm
1234399c9c43711dac5a08d6577634ea 2.1WS/en/os/i686/kernel-debug-2.4.9-e.34.i686.rpm
4aa1653dc861991cd07554bd28e5f7e2 2.1WS/en/os/i686/kernel-enterprise-2.4.9-e.34.i686.rpm
1f51cb729dd1e51dbb42e9ba1f6a4436 2.1WS/en/os/i686/kernel-smp-2.4.9-e.34.i686.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0476

9. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/42GUXlSAg2UNWIIRAqcuAJ9tut+n78V5iUu0PB7uR4ahiZTx5QCcDT77
r+jzxHBprpXKXRAZXOLo+7c=
=OfWM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBP+ZTDih9+71yA2DNAQHiAwP+L0U9yjMVomXALaoFrW3YI63EtjZv8a6k
WaDWlFF8M7W6gLff790aTOrebUSKE3iK8BE3fLiwOY+7vopfoeKh3mj7Blnpkmdl
vcfIkY7dddT1jbgDz5jbVbUqDmMPQ3d1/juXJX2Ac+GbKPKUqu8zoVi+FqqYmXlQ
yQh7WU86Lk0=
=eDcq
-----END PGP SIGNATURE-----