21945

21967

22082

22093

22292

22382

22945

1016992

http://support.avaya.com/elmodocs2/security/ASA-2006-249.htm

DSA-1183

DSA-1184

http://www.mail-archive.com/kernel-svn-changes@lists.alioth.debian.org/msg02314.html

MDKSA-2006:182

MDKSA-2007:025

RHSA-2006:0689

20087

USN-347-1

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204460

kernel-sctp-dos(29011)

oval:org.mitre.oval:def:10530

Updated kernel packages that fix security issues are now available. 

This update has been rated as having important security impact by the Red Hat Security Response Team. 

The Linux kernel handles the basic functions of the operating system. 

These new kernel packages contain fixes for the security issues described below :


From Red Hat Security Advisory 2006-0617 :

* a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important)

* a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important)

* a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important)

* a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important)

* a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate)

* a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate)

* a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low)

* a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low)

* a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low)

In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines.

Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum.


From Red Hat Security Advisory ELSA-2006-0689 :

* a flaw in the SCTP support that allowed a local user to cause a denial of service (crash) with a specific SO_LINGER value.
(CVE-2006-4535, Important)

* a flaw in the hugepage table support that allowed a local user to cause a denial of service (crash). (CVE-2005-4811, Important)

* a flaw in the mprotect system call that allowed setting write permission for a read-only attachment of shared memory.
(CVE-2006-2071, Moderate)

* a flaw in HID0[31] (en_attn) register handling on PowerPC 970 systems that allowed a local user to cause a denial of service.
(crash) (CVE-2006-4093, Moderate)

* a flaw in the perfmon support of Itanium systems that allowed a local user to cause a denial of service by consuming all file descriptors. (CVE-2006-3741, Moderate)

* a flaw in the ATM subsystem. On systems with installed ATM hardware and configured ATM support, a remote user could cause a denial of service (panic) by accessing socket buffers memory after freeing them.
(CVE-2006-4997, Moderate)

* a flaw in the DVB subsystem. On systems with installed DVB hardware and configured DVB support, a remote user could cause a denial of service (panic) by sending a ULE SNDU packet with length of 0.
(CVE-2006-4623, Low)

* an information leak in the network subsystem that possibly allowed a local user to read sensitive data from kernel memory. (CVE-2006-0039, Low)

In addition, two bugfixes for the IPW-2200 wireless driver were included. The first one ensures that wireless management applications correctly identify IPW-2200 controlled devices, while the second fix ensures that DHCP requests using the IPW-2200 operate correctly.

Red Hat would like to thank Olof Johansson, Stephane Eranian and Solar Designer for reporting issues fixed in this erratum.

Sridhar Samudrala discovered a local Denial of Service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

Stephane Eranian discovered an issue with permon2.0 where, under certain circumstances, the perfmonctl() system call may not correctly manage the file descriptor reference count, resulting in the system possibly running out of file structure (CVE-2006-3741).

Prior to and including 2.6.17, the Universal Disk Format (UDF) filesystem driver allowed local users to cause a DoS (hang and crash) via certain operations involving truncated files (CVE-2006-4145).

Various versions of the Linux kernel allowed local users to cause a DoS (crash) via an SCTP socket with a certain SO_LINGER value, which is possibly related to the patch used to correct CVE-2006-3745 (CVE-2006-4535).

The Unidirectional Lightweight Encapsulation (ULE) decapsulation component in the dvb driver allows remote attackers to cause a DoS (crash) via an SNDU length of 0 in a ULE packet (CVE-2006-4623).

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes.

In addition to these security fixes, other fixes have been included such as :

  - added support for new devices: o NetXtreme BCM5715     gigabit ethernet o NetXtreme II BCM5708 gigabit ethernet
    - enabled the CISS driver for Xen kernels - updated ich8     support in ata_piix - enabled support for 1078 type     controller in megaraid_sas - multiple fixes for RSBAC     support

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

This advisory covers the S/390 components of the recent security update for the Linux 2.6.8 kernel that were missing due to technical problems. For reference, please see the text of the original advisory.

  Several security related problems have been discovered in the Linux   kernel which may lead to a denial of service or even the execution   of arbitrary code. The Common Vulnerabilities and Exposures project   identifies the following problems :

    - CVE-2004-2660       Toshihiro Iwamoto discovered a memory leak in the       handling of direct I/O writes that allows local users       to cause a denial of service.

    - CVE-2005-4798       A buffer overflow in NFS readlink handling allows a       malicious remote server to cause a denial of service.

    - CVE-2006-1052       Stephen Smalley discovered a bug in the SELinux ptrace       handling that allows local users with ptrace       permissions to change the tracer SID to the SID of       another process.

    - CVE-2006-1343       Pavel Kankovsky discovered an information leak in the       getsockopt system call which can be exploited by a       local program to leak potentially sensitive memory to       userspace.

    - CVE-2006-1528       Douglas Gilbert reported a bug in the sg driver that       allows local users to cause a denial of service by       performing direct I/O transfers from the sg driver to       memory mapped I/O space.

    - CVE-2006-1855       Mattia Belletti noticed that certain debugging code       left in the process management code could be exploited       by a local attacker to cause a denial of service.

    - CVE-2006-1856       Kostik Belousov discovered a missing LSM       file_permission check in the readv and writev       functions which might allow attackers to bypass       intended access restrictions.

    - CVE-2006-2444       Patrick McHardy discovered a bug in the SNMP NAT       helper that allows remote attackers to cause a denial       of service.

    - CVE-2006-2446       A race condition in the socket buffer handling allows       remote attackers to cause a denial of service.

    - CVE-2006-2935       Diego Calleja Garcia discovered a buffer overflow in       the DVD handling code that could be exploited by a       specially crafted DVD USB storage device to execute       arbitrary code.

    - CVE-2006-2936       A bug in the serial USB driver has been discovered       that could be exploited by a custom made USB serial       adapter to consume arbitrary amounts of memory.

    - CVE-2006-3468       James McKenzie discovered a denial of service       vulnerability in the NFS driver. When exporting an       ext3 file system over NFS, a remote attacker could       exploit this to trigger a file system panic by sending       a specially crafted UDP packet.

    - CVE-2006-3745       Wei Wang discovered a bug in the SCTP implementation       that allows local users to cause a denial of service       and possibly gain root privileges.

    - CVE-2006-4093       Olof Johansson discovered that the kernel does not       disable the HID0 bit on PowerPC 970 processors which       could be exploited by a local attacker to cause a       denial of service.

    - CVE-2006-4145       A bug in the Universal Disk Format (UDF) filesystem       driver could be exploited by a local user to cause a       denial of service.

    - CVE-2006-4535       David Miller reported a problem with the fix for       CVE-2006-3745 that allows local users to crash the       system via an SCTP socket with a certain SO_LINGER       value.

The following matrix explains which kernel version for which architecture fixes the problem mentioned above :

                              stable (sarge)                 Source                       2.6.8-16sarge5                 Alpha architecture           2.6.8-16sarge5                 AMD64 architecture           2.6.8-16sarge5                 HP Precision architecture    2.6.8-6sarge5                  Intel IA-32 architecture     2.6.8-16sarge5                 Intel IA-64 architecture     2.6.8-14sarge5                 Motorola 680x0 architecture  2.6.8-4sarge5                  PowerPC architecture         2.6.8-12sarge5                 IBM S/390                    2.6.8-5sarge5                  Sun Sparc architecture       2.6.8-15sarge5                 FAI                          1.9.1sarge4

Several security related problems have been discovered in the Linux kernel which may lead to a denial of service or even the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-4798     A buffer overflow in NFS readlink handling allows a     malicious remote server to cause a denial of service.

  - CVE-2006-2935     Diego Calleja Garcia discovered a buffer overflow in the     DVD handling code that could be exploited by a specially     crafted DVD USB storage device to execute arbitrary     code.

  - CVE-2006-1528     A bug in the SCSI driver allows a local user to cause a     denial of service.

  - CVE-2006-2444     Patrick McHardy discovered a bug in the SNMP NAT helper     that allows remote attackers to cause a denial of     service.

  - CVE-2006-2446     A race condition in the socket buffer handling allows     remote attackers to cause a denial of service.

  - CVE-2006-3745     Wei Wang discovered a bug in the SCTP implementation     that allows local users to cause a denial of service and     possibly gain root privileges.

  - CVE-2006-4535     David Miller reported a problem with the fix for     CVE-2006-3745 that allows local users to crash the     system via an SCTP socket with a certain SO_LINGER     value.

The following matrix explains which kernel version for which architecture fixes the problem mentioned above :

                              stable (sarge)                 Source                       2.4.27-10sarge4                Alpha architecture           2.4.27-10sarge4                ARM architecture             2.4.27-2sarge4                 Intel IA-32 architecture     2.4.27-10sarge4                Intel IA-64 architecture     2.4.27-10sarge4                Motorola 680x0 architecture  2.4.27-3sarge4                 MIPS architectures           2.4.27-10.sarge4.040815-1      PowerPC architecture         2.4.27-10sarge4                IBM S/390                    2.4.27-2sarge4                 Sun Sparc architecture       2.4.27-9sarge4                 FAI                          1.9.1sarge4                    mindi-kernel                 2.4.27-2sarge3                 kernel-image-speakup-i386    2.4.27-1.1sarge3               systemimager                 3.2.3-6sarge3

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues described below :

* a flaw in the SCTP support that allowed a local user to cause a denial of service (crash) with a specific SO_LINGER value.
(CVE-2006-4535, Important)

* a flaw in the hugepage table support that allowed a local user to cause a denial of service (crash). (CVE-2005-4811, Important)

* a flaw in the mprotect system call that allowed setting write permission for a read-only attachment of shared memory.
(CVE-2006-2071, Moderate)

* a flaw in HID0[31] (en_attn) register handling on PowerPC 970 systems that allowed a local user to cause a denial of service.
(crash) (CVE-2006-4093, Moderate)

* a flaw in the perfmon support of Itanium systems that allowed a local user to cause a denial of service by consuming all file descriptors. (CVE-2006-3741, Moderate)

* a flaw in the ATM subsystem. On systems with installed ATM hardware and configured ATM support, a remote user could cause a denial of service (panic) by accessing socket buffers memory after freeing them.
(CVE-2006-4997, Moderate)

* a flaw in the DVB subsystem. On systems with installed DVB hardware and configured DVB support, a remote user could cause a denial of service (panic) by sending a ULE SNDU packet with length of 0.
(CVE-2006-4623, Low)

* an information leak in the network subsystem that possibly allowed a local user to read sensitive data from kernel memory. (CVE-2006-0039, Low)

In addition, two bugfixes for the IPW-2200 wireless driver were included. The first one ensures that wireless management applications correctly identify IPW-2200 controlled devices, while the second fix ensures that DHCP requests using the IPW-2200 operate correctly.

Red Hat would like to thank Olof Johansson, Stephane Eranian and Solar Designer for reporting issues fixed in this erratum.

All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0689.

ID	Name	Product	Family	Severity
67401	Oracle Linux 4 : kernel (ELSA-2006-0617 / ELSA-2006-0689)	Nessus	Oracle Linux Local Security Checks	high
27927	Ubuntu 5.04 / 5.10 / 6.06 LTS : linux-source-2.6.10/-2.6.12/-2.6.15 vulnerabilities (USN-347-1)	Nessus	Ubuntu Local Security Checks	medium
24567	Mandrake Linux Security Advisory : kernel (MDKSA-2006:182)	Nessus	Mandriva Local Security Checks	high
22726	Debian DSA-1184-2 : kernel-source-2.6.8 - several vulnerabilities	Nessus	Debian Local Security Checks	high
22725	Debian DSA-1183-1 : kernel-source-2.4.27 - several vulnerabilities	Nessus	Debian Local Security Checks	high
22523	RHEL 4 : kernel (RHSA-2006:0689)	Nessus	Red Hat Local Security Checks	high
22513	CentOS 4 : kernel (CESA-2006:0689)	Nessus	CentOS Local Security Checks	high
801422	CentOS RHSA-2006-0689 Security Check	Log Correlation Engine	Generic	high

CVE-2006-4535

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

medium

high

high

high

high

high

high