http://bugzilla.kernel.org/show_bug.cgi?id=8134

FEDORA-2007-335

FEDORA-2007-336

SUSE-SA:2007:029

24493

24518

24777

24901

25080

25099

25691

26133

26139

VU#920689

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2

MDKSA-2007:078

33025

RHSA-2007:0169

20070615 rPSA-2007-0124-1 kernel xen

22904

USN-486-1

USN-489-1

ADV-2007-0907

http://www.wslabi.com/wabisabilabi/initPublishedBid.do?

https://issues.rpath.com/browse/RPL-1153

oval:org.mitre.oval:def:10015

A flaw was discovered in dvb ULE decapsulation. A remote attacker could send a specially crafted message and cause a denial of service.
(CVE-2006-4623)

The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode.
(CVE-2006-7203)

The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005)

Due to an variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data.
(CVE-2007-1000)

Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)

A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861)

The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers.
(CVE-2007-2453)

A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525)

An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875)

Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876)

Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878)

A flaw was discovered in the cluster manager. A remote attacker could connect to the DLM port and block further DLM operations.
(CVE-2007-3380)

A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode.
(CVE-2006-7203)

The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005)

Due to a variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data.
(CVE-2007-1000)

Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)

A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861)

A flaw was discovered in the IPv6 stack's handling of type 0 route headers. By sending a specially crafted IPv6 packet, a remote attacker could cause a denial of service between two IPv6 hosts.
(CVE-2007-2242)

The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers.
(CVE-2007-2453)

A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525)

An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875)

Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876)

Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This kernel update fixes the following security problems :

  - CVE-2007-1000 A NULL pointer dereference in the IPv6     sockopt handling can be used by local attackers to read     arbitrary kernel memory and so gain access to private     information.

  - CVE-2007-1388 A NULL pointer dereference could be used     by local attackers to cause a Oops / crash of the     machine.

  - CVE-2007-1592 A possible double free in the     ipv6/flowlabel handling was fixed.

  - CVE-2007-1357 A remote denial of service attack in the     AppleTalk protocol handler was fixed. This attack is     only possible on the local subnet, and requires the     AppleTalk protocol module to be loaded (which is not     done by default).

and the following non security bugs :

  - patches.fixes/visor_write_race.patch: fix race allowing     overstepping memory limit in visor_write (Mainline:
    2.6.21)

  - patches.drivers/libata-ide-via-add-PCI-IDs:
    via82cxxx/pata_via: backport PCI IDs (254158).

  - libata: implement HDIO_GET_IDENTITY (255413).

  - sata_sil24: Add Adaptec 1220SA PCI ID. (Mainline:
    2.6.21)

  - ide: backport hpt366 from devel tree (244502).

  - mm: fix madvise infinine loop (248167).

  - libata: hardreset on SERR_INTERNAL (241334).

  - limited WPA support for prism54 (207944)

  - jmicron: match class instead of function number (224784,     207707)

  - ahci: RAID mode SATA patch for Intel ICH9M (Mainline:
    2.6.21)

  - libata: blacklist FUJITSU MHT2060BH for NCQ (Mainline:
    2.6.21)

  - libata: add missing PM callbacks. (Mainline: 2.6.20)

  - patches.fixes/nfs-readdir-timestamp: Set meaningful     value for fattr->time_start in readdirplus results.
    (244967).

  - patches.fixes/usb_volito.patch: wacom volito tablet not     working (#248832).

  - patches.fixes/965-fix: fix detection of aperture size     versus GTT size on G965 (#258013).

  - patches.fixes/sbp2-MODE_SENSE-fix.diff: use proper MODE     SENSE, fixes recognition of device properties (261086)

  - patches.fixes/ipt_CLUSTERIP_refcnt_fix:
    ipv4/netfilter/ipt_CLUSTERIP.c - refcnt fix (238646)

  - patches.fixes/reiserfs-fix-vs-13060.diff: reiserfs: fix     corruption with vs-13060 (257735).

  - patches.drivers/ati-rs400_200-480-disable-msi:
    pci-quirks: disable MSI on RS400-200 and RS480 (263893).

  - patches.drivers/libata-ahci-ignore-interr-on-SB600:
    ahci.c: walkaround for SB600 SATA internal error issue     (#264792).

Furthermore, CONFIG_USB_DEVICEFS has been re-enabled to allow use of USB in legacy applications like VMware. (#210899).

Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* a flaw in the IPv6 socket option handling that allowed a local user to read arbitrary kernel memory (CVE-2007-1000, Important).

* a flaw in the IPv6 socket option handling that allowed a local user to cause a denial of service (CVE-2007-1388, Important).

* a flaw in the utrace support that allowed a local user to cause a denial of service (CVE-2007-0771, Important).

In addition to the security issues described above, a fix for a memory leak in the audit subsystem and a fix for a data corruption bug on s390 systems have been included.

Red Hat Enterprise Linux 5 users are advised to upgrade to these erratum packages, which are not vulnerable to these issues.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

When SELinux hooks are enabled, the kernel could allow a local user to cause a DoS (crash) via a malformed file stream that triggers a NULL pointer derefernece (CVE-2006-6056).

Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. (CVE-2007-0005)

The Linux kernel version 2.6.13 to 2.6.20.1 allowed a remote attacker to cause a DoS (oops) via a crafted NFSACL2 ACCESS request that triggered a free of an incorrect pointer (CVE-2007-0772).

A local user could read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump; a variant of CVE-2004-1073 (CVE-2007-0958).

The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. (CVE-2007-1000)

Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet. (CVE-2007-1217)

The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel 2.6.17, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.
(CVE-2007-1388)

net/ipv6/tcp_ipv6.c in Linux kernel 2.4 and 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listeing IPv6 socket, attaching a flow label, and connecting to that socket. (CVE-2007-1592)

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes.

In addition to these security fixes, other fixes have been included such as :

  - Suspend to disk speed improvements

    - Add nmi watchdog support for core2

    - Add atl1 driver

    - Update KVM

    - Add acer_acpi

    - Update asus_acpi

    - Fix suspend on r8169, i8259A

    - Fix suspend when using ondemand governor

    - Add ide acpi support

    - Add suspend/resume support for sata_nv chipsets.

    - USB: Let USB-Serial option driver handle anydata       devices (#29066)

    - USB: Add PlayStation 2 Trance Vibrator driver

    - Fix bogus delay loop in video/aty/mach64_ct.c

    - Add MCP61 support (#29398)

    - USB: fix floppy drive SAMSUNG SFD-321U/EP detected 8       times bug

    - Improve keyboard handling on Apple MacBooks

    - Add -latest patch

    - Workaround a possible binutils bug in smp alternatives

    - Add forcedeth support

    - Fix potential deadlock in driver core (USB hangs at       boot time #24683)

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Rebased to kernel 2.6.20.3-rc1 :

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet.

This release does not include Xen kernels.

CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges. 

CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information.

The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Rebased to kernel 2.6.20.3-rc1 :

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet.

This release does not include Xen kernels.

CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges.

CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information.

The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2007-0169.

ID	Name	Product	Family	Severity
28090	Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-489-1)	Nessus	Ubuntu Local Security Checks	high
28087	Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-486-1)	Nessus	Ubuntu Local Security Checks	high
27294	openSUSE 10 Security Update : kernel (kernel-3128)	Nessus	SuSE Local Security Checks	high
25328	RHEL 5 : kernel (RHSA-2007:0169)	Nessus	Red Hat Local Security Checks	high
25126	CentOS 5 : Kernel (CESA-2007:0169)	Nessus	CentOS Local Security Checks	high
24944	Mandrake Linux Security Advisory : kernel (MDKSA-2007:078)	Nessus	Mandriva Local Security Checks	high
24824	Fedora Core 5 : kernel-2.6.20-1.2300.fc5 (2007-336)	Nessus	Fedora Local Security Checks	high
24823	Fedora Core 6 : kernel-2.6.20-1.2925.fc6 (2007-335)	Nessus	Fedora Local Security Checks	high
801426	CentOS RHSA-2007-0169 Security Check	Log Correlation Engine	Generic	high

CVE-2007-1000

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins