RHEL 4 : kernel (RHSA-2010:0936)

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated kernel packages that fix two security issues and multiple bugs
are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

[Update 6 December 2010] The package list in this erratum has been
updated to include the kernel-doc packages for the IA32 architecture.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes :

* A flaw in sctp_packet_config() in the Linux kernel's Stream Control
Transmission Protocol (SCTP) implementation could allow a remote
attacker to cause a denial of service. (CVE-2010-3432, Important)

* A missing integer overflow check in snd_ctl_new() in the Linux
kernel's sound subsystem could allow a local, unprivileged user on a
32-bit system to cause a denial of service or escalate their
privileges. (CVE-2010-3442, Important)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442.

Bug fixes :

* Forward time drift was observed on virtual machines using PM
timer-based kernel tick accounting and running on KVM or the Microsoft
Hyper-V Server hypervisor. Virtual machines that were booted with the
divider=x kernel parameter set to a value greater than 1 and that
showed the following in the kernel boot messages were subject to this
issue :

time.c: Using PM based timekeeping

Fine grained accounting for the PM timer is introduced which
eliminates this issue. However, this fix uncovered a bug in the Xen
hypervisor, possibly causing backward time drift. If this erratum is
installed in Xen HVM guests that meet the aforementioned conditions,
it is recommended that the host use kernel-xen-2.6.18-194.26.1.el5 or
newer, which includes a fix (BZ#641915) for the backward time drift.
(BZ#629237)

* With multipath enabled, systems would occasionally halt when the
do_cciss_request function was used. This was caused by
wrongly-generated requests. Additional checks have been added to avoid
the aforementioned issue. (BZ#640193)

* A Sun X4200 system equipped with a QLogic HBA spontaneously rebooted
and logged a Hyper-Transport Sync Flood Error to the system event log.
A Maximum Memory Read Byte Count restriction was added to fix this
bug. (BZ#640919)

* For an active/backup bonding network interface with VLANs on top of
it, when a link failed over, it took a minute for the multicast domain
to be rejoined. This was caused by the driver not sending any IGMP
join packets. The driver now sends IGMP join packets and the multicast
domain is rejoined immediately. (BZ#641002)

* Replacing a disk and trying to rebuild it afterwards caused the
system to panic. When a domain validation request for a hot plugged
drive was sent, the mptscsi driver did not validate its existence.
This could result in the driver accessing random memory and causing
the crash. A check has been added that describes the newly-added
device and reloads the iocPg3 data from the firmware if needed.
(BZ#641137)

* An attempt to create a VLAN interface on a bond of two bnx2 adapters
in two switch configurations resulted in a soft lockup after a few
seconds. This was caused by an incorrect use of a bonding pointer.
With this update, soft lockups no longer occur and creating a VLAN
interface works as expected. (BZ#641254)

* Erroneous pointer checks could have caused a kernel panic. This was
due to a critical value not being copied when a network buffer was
duplicated and consumed by multiple portions of the kernel's network
stack. Fixing the copy operation resolved this bug. (BZ#642746)

* A typo in a variable name caused it to be dereferenced in either
mkdir() or create() which could cause a kernel panic. (BZ#643342)

* SCSI high level drivers can submit SCSI commands which would never
be completed when the device was offline. This was caused by a missing
callback for the request to complete the given command. SCSI requests
are now terminated by calling their callback when a device is offline.
(BZ#644816)

* A kernel panic could have occurred on systems due to a recursive
lock in the 3c59x driver. Recursion is now avoided and this kernel
panic no longer occurs. (BZ#648407)

Users should upgrade to these updated packages, which contain
backported patches to correct these issues. The system must be
rebooted for this update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2010-3432.html
https://www.redhat.com/security/data/cve/CVE-2010-3442.html
http://rhn.redhat.com/errata/RHSA-2010-0936.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 50871 ()

Bugtraq ID: 43480
43787

CVE ID: CVE-2010-3432
CVE-2010-3442