nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Geronimo
  - Apache Tomcat
  - Apache Xerces2
  - cURL/libcURL
  - ISC BIND
  - Libxml2
  - Linux kernel
  - Linux kernel 64-bit
  - Linux kernel Common Internet File System
  - Linux kernel eCryptfs
  - NTP
  - Python
  - Java Runtime Environment (JRE)
  - Java SE Development Kit (JDK)
  - Java SE Abstract Window Toolkit (AWT)
  - Java SE Plugin
  - Java SE Provider
  - Java SE Swing
  - Java SE Web Start

The remote OracleVM system is missing necessary patches to address critical security updates :

CVE-2009-1192 The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.

CVE-2009-1072 nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-1758 The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in 'certain address ranges.'

CVE-2009-1439 Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.

CVE-2009-1633 Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c  or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.

CVE-2009-1630 The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.

  - [agp] zero pages before sending to userspace (Jiri Olsa)     [497025 497026] (CVE-2009-1192)

  - [misc] add some long-missing capabilities to CAP_FS_MASK     (Eric Paris) [499075 497271 499076 497272]     (CVE-2009-1072)

  - [x86] xen: fix local denial of service (Chris     Lalancette) [500950 500951] (CVE-2009-1758)

  - [fs] cifs: unicode alignment and buffer sizing problems     (Jeff Layton) [494279 494280] (CVE-2009-1439)

  - [fs] cifs: buffer overruns when converting strings (Jeff     Layton) [496576 496577] (CVE-2009-1633)

  - [fs] cifs: fix error handling in parse_DFS_referrals     (Jeff Layton) [496576 496577] (CVE-2009-1633)

  - [fs] cifs: fix pointer and checks in cifs_follow_symlink     (Jeff Layton) [496576 496577] (CVE-2009-1633)

  - [nfs] v4: client handling of MAY_EXEC in nfs_permission     (Peter Staubach) [500301 500302] (CVE-2009-1630)

  - backport cifs support from OEL5U3

From Red Hat Security Advisory 2009:1132 :

Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated packages fix the following security issues :

* a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service.
(CVE-2009-1385, Important)

* the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate)

* Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate)

* a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel.
(CVE-2009-1758, Moderate)

* a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak.
(CVE-2009-1192, Low)

These updated packages also fix the following bugs :

* '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps, making it possible to bypass the Address Space Layout Randomization (ASLR) security feature. This update addresses this issue. (BZ#499549)

* in some situations, the link count was not decreased when renaming unused files on NFS mounted file systems. This may have resulted in poor performance. With this update, the link count is decreased in these situations, the same as is done for other file operations, such as unlink and rmdir. (BZ#501802)

* tcp_ack() cleared the probes_out variable even if there were outstanding packets. When low TCP keepalive intervals were used, this bug may have caused problems, such as connections terminating, when using remote tools such as rsh and rlogin. (BZ#501754)

* off-by-one errors in the time normalization code could have caused clock_gettime() to return one billion nanoseconds, rather than adding an extra second. This bug could have caused the name service cache daemon (nscd) to consume excessive CPU resources. (BZ#501800)

* a system panic could occur when one thread read '/proc/bus/input/devices' while another was removing a device. With this update, a mutex has been added to protect the input_dev_list and input_handler_list variables, which resolves this issue. (BZ#501804)

* using netdump may have caused a kernel deadlock on some systems.
(BZ#504565)

* the file system mask, which lists capabilities for users with a file system user ID (fsuid) of 0, was missing the CAP_MKNOD and CAP_LINUX_IMMUTABLE capabilities. This could, potentially, allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. This update adds these capabilities. (BZ#497269)

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.
Note: The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2009:1106 :

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share.
(CVE-2009-1439, CVE-2009-1633, Important)

* the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate)

* Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate)

* a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel.
(CVE-2009-1758, Moderate)

* a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak.
(CVE-2009-1192, Low)

Bug fixes :

* a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. 'Busy inodes' messages may have been logged. (BZ#498653)

* nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium(r)-based systems. (BZ#500349)

* LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120)

* ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once.
(BZ#486945)

* epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322)

* missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271)

* on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926)

* in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data.
(BZ#486921)

* when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742)

* with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783)

* the '-fwrapv' flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751)

* a kernel panic when enabling and disabling iSCSI paths. (BZ#502916)

* using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837)

* '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps. (BZ#499546)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

These updated packages fix the following security issues :

  - the exit_notify() function in the Linux kernel did not     properly reset the exit signal if a process executed a     set user ID (setuid) application before exiting. This     could allow a local, unprivileged user to elevate their     privileges. (CVE-2009-1337, Important)

  - the Linux kernel implementation of the Network File     System (NFS) did not properly initialize the file name     limit in the nfs_server data structure. This flaw could     possibly lead to a denial of service on a client     mounting an NFS share. (CVE-2009-1336, Moderate)

  - a flaw was found in the Intel PRO/1000 network driver in     the Linux kernel. Frames with sizes near the MTU of an     interface may be split across multiple hardware receive     descriptors. Receipt of such a frame could leak through     a validation check, leading to a corruption of the     length check. A remote attacker could use this flaw to     send a specially crafted packet that would cause a     denial of service. (CVE-2009-1385, Important)

  - the Linux kernel Network File System daemon (nfsd)     implementation did not drop the CAP_MKNOD capability     when handling requests from local, unprivileged users.
    This flaw could possibly lead to an information leak or     privilege escalation. (CVE-2009-1072, Moderate)

  - Frank Filz reported the NFSv4 client was missing a file     permission check for the execute bit in some situations.
    This could allow local, unprivileged users to run     non-executable files on NFSv4 mounted file systems.
    (CVE-2009-1630, Moderate)

  - a missing check was found in the hypervisor_callback()     function in the Linux kernel provided by the kernel-xen     package. This could cause a denial of service of a     32-bit guest if an application running in that guest     accesses a certain memory location in the kernel.
    (CVE-2009-1758, Moderate)

  - a flaw was found in the AGPGART driver. The     agp_generic_alloc_page() and agp_generic_alloc_pages()     functions did not zero out the memory pages they     allocate, which may later be available to user-space     processes. This flaw could possibly lead to an     information leak. (CVE-2009-1192, Low)

These updated packages also fix the following bugs :

  - '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be     read by processes able to use the ptrace() call on a     given process; however, certain information from     '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used     to reconstruct memory maps, making it possible to bypass     the Address Space Layout Randomization (ASLR) security     feature. This update addresses this issue. (BZ#499549)

  - in some situations, the link count was not decreased     when renaming unused files on NFS mounted file systems.
    This may have resulted in poor performance. With this     update, the link count is decreased in these situations,     the same as is done for other file operations, such as     unlink and rmdir. (BZ#501802)

  - tcp_ack() cleared the probes_out variable even if there     were outstanding packets. When low TCP keepalive     intervals were used, this bug may have caused problems,     such as connections terminating, when using remote tools     such as rsh and rlogin. (BZ#501754)

  - off-by-one errors in the time normalization code could     have caused clock_gettime() to return one billion     nanoseconds, rather than adding an extra second. This     bug could have caused the name service cache daemon     (nscd) to consume excessive CPU resources. (BZ#501800)

  - a system panic could occur when one thread read     '/proc/bus/input/devices' while another was removing a     device. With this update, a mutex has been added to     protect the input_dev_list and input_handler_list     variables, which resolves this issue. (BZ#501804)

  - using netdump may have caused a kernel deadlock on some     systems. (BZ#504565)

  - the file system mask, which lists capabilities for users     with a file system user ID (fsuid) of 0, was missing the     CAP_MKNOD and CAP_LINUX_IMMUTABLE capabilities. This     could, potentially, allow users with an fsuid other than     0 to perform actions on some file system types that     would otherwise be prevented. This update adds these     capabilities. (BZ#497269)

Kernel Feature Support :

  - added a new allowable value to     '/proc/sys/kernel/wake_balance' to allow the scheduler     to run the thread on any available CPU rather than     scheduling it on the optimal CPU.

  - added 'max_writeback_pages' tunable parameter to     /proc/sys/vm/ to allow the maximum number of modified     pages kupdate writes to disk, per iteration per run.

  - added 'swap_token_timeout' tunable parameter to     /proc/sys/vm/ to provide a valid hold time for the swap     out protection token.

  - added diskdump support to sata_svw driver.

  - limited physical memory to 64GB for 32-bit kernels     running on systems with more than 64GB of physical     memory to prevent boot failures.

  - improved reliability of autofs.

  - added support for 'rdattr_error' in NFSv4 readdir     requests.

  - fixed various short packet handling issues for NFSv4     readdir and sunrpc.

  - fixed several CIFS bugs.

Networking and IPv6 Enablement :

  - added router solicitation support.

  - enforced sg requires tx csum in ethtool.

Platform Support :

x86, AMD64, Intel 64

  - added support for a new Intel chipset.

  - added initialization vendor info in boot_cpu_data.

  - added support for N_Port ID Virtualization (NPIV) for     IBM System z guests using zFCP.

  - added HDMI support for some AMD and ATI chipsets.

  - updated HDA driver in ALSA to latest upstream as of     2008-07-22.

  - added support for affected_cpus for cpufreq.

  - removed polling timer from i8042.

  - fixed PM-Timer when using the ASUS A8V Deluxe     motherboard.

  - backported usbfs_mutex in usbfs.

Network Driver Updates :

  - updated forcedeth driver to latest upstream version     0.61.

  - fixed various e1000 issues when using Intel ESB2     hardware.

  - updated e1000e driver to upstream version 0.3.3.3-k6.

  - updated igb to upstream version 1.2.45-k2.

  - updated tg3 to upstream version 3.96.

  - updated ixgbe to upstream version 1.3.18-k4.

  - updated bnx2 to upstream version 1.7.9.

  - updated bnx2x to upstream version 1.45.23.

  - fixed bugs and added enhancements for the NetXen NX2031     and NX3031 products.

  - updated Realtek r8169 driver to support newer network     chipsets. All variants of RTL810x/RTL8168(9) are now     supported.

Storage Driver Updates :

  - fixed various SCSI issues. Also, the SCSI sd driver now     calls the revalidate_disk wrapper.

  - fixed a dmraid reduced I/O delay bug in certain     configurations.

  - removed quirk aac_quirk_scsi_32 for some aacraid     controllers.

  - updated FCP driver on IBM System z systems with support     for point-to-point connections.

  - updated lpfc to version 8.0.16.46.

  - updated megaraid_sas to version 4.01-RH1.

  - updated MPT Fusion driver to version 3.12.29.00rh.

  - updated qla2xxx firmware to 4.06.01 for 4GB/s and 8GB/s     adapters.

  - updated qla2xxx driver to version 8.02.09.00.04.08-d.

  - fixed sata_nv in libsata to disable ADMA mode by     default.

Miscellaneous Updates :

  - upgraded OpenFabrics Alliance Enterprise Distribution     (OFED) to version 1.4.

  - added driver support and fixes for various Wacom     tablets.

Note: The system must be rebooted for this update to take effect.

Security fixes :

  - several flaws were found in the way the Linux kernel     CIFS implementation handles Unicode strings. CIFS     clients convert Unicode strings sent by a server to     their local character sets, and then write those strings     into memory. If a malicious server sent a long enough     string, it could write past the end of the target memory     region and corrupt other memory areas, possibly leading     to a denial of service or privilege escalation on the     client mounting the CIFS share. (CVE-2009-1439,     CVE-2009-1633, Important)

  - the Linux kernel Network File System daemon (nfsd)     implementation did not drop the CAP_MKNOD capability     when handling requests from local, unprivileged users.
    This flaw could possibly lead to an information leak or     privilege escalation. (CVE-2009-1072, Moderate)

  - Frank Filz reported the NFSv4 client was missing a file     permission check for the execute bit in some situations.
    This could allow local, unprivileged users to run     non-executable files on NFSv4 mounted file systems.
    (CVE-2009-1630, Moderate)

  - a missing check was found in the hypervisor_callback()     function in the Linux kernel provided by the kernel-xen     package. This could cause a denial of service of a     32-bit guest if an application running in that guest     accesses a certain memory location in the kernel.
    (CVE-2009-1758, Moderate)

  - a flaw was found in the AGPGART driver. The     agp_generic_alloc_page() and agp_generic_alloc_pages()     functions did not zero out the memory pages they     allocate, which may later be available to user-space     processes. This flaw could possibly lead to an     information leak. (CVE-2009-1192, Low)

Bug fixes :

  - a race in the NFS client between destroying cached     access rights and unmounting an NFS file system could     have caused a system crash. 'Busy inodes' messages may     have been logged. (BZ#498653)

  - nanosleep() could sleep several milliseconds less than     the specified time on Intel Itanium&reg;-based systems.
    (BZ#500349)

  - LEDs for disk drives in AHCI mode may have displayed a     fault state when there were no faults. (BZ#500120)

  - ptrace_do_wait() reported tasks were stopped each time     the process doing the trace called wait(), instead of     reporting it once. (BZ#486945)

  - epoll_wait() may have caused a system lockup and     problems for applications. (BZ#497322)

  - missing capabilities could possibly allow users with an     fsuid other than 0 to perform actions on some file     system types that would otherwise be prevented.
    (BZ#497271)

  - on NFS mounted file systems, heavy write loads may have     blocked nfs_getattr() for long periods, causing commands     that use stat(2), such as ls, to hang. (BZ#486926)

  - in rare circumstances, if an application performed     multiple O_DIRECT reads per virtual memory page and also     performed fork(2), the buffer storing the result of the     I/O may have ended up with invalid data. (BZ#486921)

  - when using GFS2, gfs2_quotad may have entered an     uninterpretable sleep state. (BZ#501742)

  - with this update, get_random_int() is more random and no     longer uses a common seed value, reducing the     possibility of predicting the values returned.
    (BZ#499783)

  - the '-fwrapv' flag was added to the gcc build options to     prevent gcc from optimizing away wrapping. (BZ#501751)

  - a kernel panic when enabling and disabling iSCSI paths.
    (BZ#502916)

  - using the Broadcom NetXtreme BCM5704 network device with     the tg3 driver caused high system load and very bad     performance. (BZ#502837)

  - '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be     read by processes able to use the ptrace() call on a     given process; however, certain information from     '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used     to reconstruct memory maps. (BZ#499546)

The system must be rebooted for this update to take effect.

The Linux kernel on SUSE Linux Enterprise 10 Service Pack 2 was updated to fix various security issues and several bugs.

The following security issues were fixed: CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

  - nfsd in the Linux kernel did not drop the CAP_MKNOD     capability before handling a user request in a thread,     which allows local users to create device nodes, as     demonstrated on a filesystem that has been exported with     the root_squash option. (CVE-2009-1072)

  - The __secure_computing function in kernel/seccomp.c in     the seccomp subsystem in the Linux kernel on the x86_64     platform, when CONFIG_SECCOMP is enabled, does not     properly handle (1) a 32-bit process making a 64-bit     syscall or (2) a 64-bit process making a 32-bit syscall,     which allows local users to bypass intended access     restrictions via crafted syscalls that are     misinterpreted as (a) stat or (b) chmod. (CVE-2009-0835)

  - Buffer overflow in fs/cifs/connect.c in CIFS in the     Linux kernel 2.6.29 and earlier allows remote attackers     to cause a denial of service (crash) or potential code     execution via a long nativeFileSystem field in a Tree     Connect response to an SMB mount request.
    (CVE-2009-1439)

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

  - The exit_notify function in kernel/exit.c in the Linux     kernel did not restrict exit signals when the CAP_KILL     capability is held, which allows local users to send an     arbitrary signal to a process by running a program that     modifies the exit_signal field and then uses an exec     system call to launch a setuid application.
    (CVE-2009-1337)

  - The shm_get_stat function in ipc/shm.c in the shm     subsystem in the Linux kernel, when CONFIG_SHMEM is     disabled, misinterprets the data type of an inode, which     allows local users to cause a denial of service (system     hang) via an SHM_INFO shmctl call, as demonstrated by     running the ipcs program. (SUSE is enabling     CONFIG_SHMEM, so is by default not affected, the fix is     just for completeness). (CVE-2009-0859)

The GCC option -fwrapv has been added to compilation to work around potentially removing integer overflow checks.

  - Integer overflow in rose_sendmsg (sys/net/af_rose.c) in     the Linux kernel might allow attackers to obtain     sensitive information via a large length value, which     causes 'garbage' memory to be sent. (CVE-2009-1265)

Also a number of bugs were fixed, for details please see the RPM changelog.

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share.
(CVE-2009-1439, CVE-2009-1633, Important)

* the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate)

* Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate)

* a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel.
(CVE-2009-1758, Moderate)

* a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak.
(CVE-2009-1192, Low)

Bug fixes :

* a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. 'Busy inodes' messages may have been logged. (BZ#498653)

* nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium(r)-based systems. (BZ#500349)

* LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120)

* ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once.
(BZ#486945)

* epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322)

* missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271)

* on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926)

* in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data.
(BZ#486921)

* when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742)

* with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783)

* the '-fwrapv' flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751)

* a kernel panic when enabling and disabling iSCSI paths. (BZ#502916)

* using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837)

* '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps. (BZ#499546)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

a. JRE Security Update

  JRE update to version 1.5.0_20, which addresses multiple security   issues that existed in earlier releases of JRE.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,   CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,   CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,   CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

b. Update Apache Tomcat version

  Update for VirtualCenter and ESX patch update the Tomcat package to   version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)   which addresses multiple security issues that existed   in the previous version of Apache Tomcat.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,   CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.18:  CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.16:  CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,   CVE-2007-6286, CVE-2008-0002.
  c. Third-party library update for ntp.
   The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the   following security issue. Note that the same security issue is   present in the ESX Service Console as described in section d. of   this advisory.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   The NTP security issue identified by CVE-2009-0159 is not relevant   for ESXi 3.5 and ESXi 4.0.
 d. Service Console update for ntp

  Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2    The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   The Service Console present in ESX is affected by the following   security issues.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   NTP authentication is not enabled by default on the Service Console.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   A buffer overflow flaw was found in the ntpq diagnostic command. A   malicious, remote server could send a specially crafted reply to an   ntpq request that could crash ntpq or, potentially, execute   arbitrary code with the privileges of the user running the ntpq   command.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-0159 to this issue.
  e. Updated Service Console package kernel

  Updated Service Console package kernel addresses the security   issues listed below.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,   CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,   CVE-2009-0778 to the security issues fixed in kernel   2.6.18-128.1.6.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,   CVE-2009-0787, CVE-2009-1336 to the security issues fixed in   kernel 2.6.18-128.1.10.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,   CVE-2009-1630, CVE-2009-1192 to the security issues fixed in   kernel 2.6.18-128.1.14.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,   CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the   security issues fixed in kernel 2.6.18-128.4.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2692, CVE-2009-2698 to the   security issues fixed in kernel 2.6.18-128.7.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,   CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues   fixed in kernel 2.6.18-164.

 f. Updated Service Console package python

  Service Console package Python update to version 2.4.3-24.el5.

  When the assert() system call was disabled, an input sanitization   flaw was revealed in the Python string object implementation that   led to a buffer overflow. The missing check for negative size values   meant the Python memory allocator could allocate less memory than   expected. This could result in arbitrary code execution with the   Python interpreter's privileges.

  Multiple buffer and integer overflow flaws were found in the Python   Unicode string processing and in the Python Unicode and string   object implementations. An attacker could use these flaws to cause   a denial of service.

  Multiple integer overflow flaws were found in the Python imageop   module. If a Python application used the imageop module to   process untrusted images, it could cause the application to   disclose sensitive information, crash or, potentially, execute   arbitrary code with the Python interpreter's privileges.

  Multiple integer underflow and overflow flaws were found in the   Python snprintf() wrapper implementation. An attacker could use   these flaws to cause a denial of service (memory corruption).

  Multiple integer overflow flaws were found in various Python   modules. An attacker could use these flaws to cause a denial of   service.

  An integer signedness error, leading to a buffer overflow, was   found in the Python zlib extension module. If a Python application   requested the negative byte count be flushed for a decompression   stream, it could cause the application to crash or, potentially,   execute arbitrary code with the Python interpreter's privileges.

  A flaw was discovered in the strxfrm() function of the Python   locale module. Strings generated by this function were not properly   NULL-terminated, which could possibly cause disclosure of data   stored in the memory of a Python application using this function.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721   CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143   CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.

 g. Updated Service Console package bind

  Service Console package bind updated to version 9.3.6-4.P1.el5

  The Berkeley Internet Name Domain (BIND) is an implementation of the   Domain Name System (DNS) protocols. BIND includes a DNS server   (named); a resolver library (routines for applications to use when   interfacing with DNS); and tools for verifying that the DNS server   is operating correctly.

  A flaw was found in the way BIND handles dynamic update message   packets containing the 'ANY' record type. A remote attacker could   use this flaw to send a specially crafted dynamic update packet   that could cause named to exit with an assertion failure.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-0696 to this issue.

 h. Updated Service Console package libxml2

  Service Console package libxml2 updated to version 2.6.26-2.1.2.8.

  libxml is a library for parsing and manipulating XML files. A   Document Type Definition (DTD) defines the legal syntax (and also   which elements can be used) for certain types of files, such as XML   files.

  A stack overflow flaw was found in the way libxml processes the   root XML document element definition in a DTD. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  Multiple use-after-free flaws were found in the way libxml parses   the Notation and Enumeration attribute types. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2414 and CVE-2009-2416 to these   issues.

 i. Updated Service Console package curl

  Service Console package curl updated to version 7.15.5-2.1.el5_3.5

  A cURL is affected by the previously published 'null prefix attack',   caused by incorrect handling of NULL characters in X.509   certificates. If an attacker is able to get a carefully-crafted   certificate signed by a trusted Certificate Authority, the attacker   could use the certificate during a man-in-the-middle attack and   potentially confuse cURL into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2417 to this issue

 j. Updated Service Console package gnutls

  Service Console package gnutil updated to version 1.4.1-3.el5_3.5

  A flaw was discovered in the way GnuTLS handles NULL characters in   certain fields of X.509 certificates. If an attacker is able to get   a carefully-crafted certificate signed by a Certificate Authority   trusted by an application using GnuTLS, the attacker could use the   certificate during a man-in-the-middle attack and potentially   confuse the application into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2730 to this issue

This Linux kernel update for SUSE Linux Enterprise 11 fixes lots of bugs and some security issues.

The kernel was also updated to the 2.6.27.21 stable release.

  - nfsd in the Linux kernel does not drop the CAP_MKNOD     capability before handling a user request in a thread,     which allows local users to create device nodes, as     demonstrated on a filesystem that has been exported with     the root_squash option. (CVE-2009-1072)

  - The sock_getsockopt function in net/core/sock.c in the     Linux kernel does not initialize a certain structure     member, which allows local users to obtain potentially     sensitive information from kernel memory via an     SO_BSDCOMPAT getsockopt request. The fix for this was     incomplete. (CVE-2009-0676)

  - The __secure_computing function in kernel/seccomp.c in     the seccomp subsystem in the Linux kernel on the x86_64     platform, when CONFIG_SECCOMP is enabled, does not     properly handle (1) a 32-bit process making a 64-bit     syscall or (2) a 64-bit process making a 32-bit syscall,     which allows local users to bypass intended access     restrictions via crafted syscalls that are     misinterpreted as (a) stat or (b) chmod. (CVE-2009-0835)

This Linux kernel update for openSUSE 11.1 fixes lots of bugs and some security issues.

The kernel was also updated to the 2.6.27.21 stable release.

CVE-2009-1072: nfsd in the Linux kernel does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request. The fix for this was incomplete.

CVE-2009-0835: The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod.

This kernel update for openSUSE 11.0 fixes some bugs and several security problems.

The following security issues are fixed: A local denial of service problem in the splice(2) system call.

CVE-2009-1630: The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.

CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

CVE-2009-1072: nfsd in the Linux kernel did not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-0835 The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod.

CVE-2009-1439: Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) or potential code execution via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

CVE-2009-1337: The exit_notify function in kernel/exit.c in the Linux kernel did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.

CVE-2009-0859: The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program. (SUSE is enabling CONFIG_SHMEM, so is by default not affected, the fix is just for completeness).

CVE-2009-1242: The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementation in the KVM subsystem in the Linux kernel on the i386 platform allows guest OS users to cause a denial of service (OOPS) by setting the EFER_LME (aka 'Long mode enable') bit in the Extended Feature Enable Register (EFER) model-specific register, which is specific to the x86_64 platform.

CVE-2009-1265: Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel might allow attackers to obtain sensitive information via a large length value, which causes 'garbage' memory to be sent.

CVE-2009-0028: The clone system call in the Linux kernel allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.

CVE-2009-0675: The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an 'inverted logic' issue.

CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.

CVE-2009-0322: drivers/firmware/dell_rbu.c in the Linux kernel allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.

CVE-2009-0269: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.

CVE-2009-0065: Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.

Some other non-security bugs were fixed, please see the RPM changelog.

Igor Zhbanov discovered that NFS clients were able to create device nodes even when root_squash was enabled. An authenticated remote attacker could create device nodes with open permissions, leading to a loss of privacy or escalation of privileges. Only Ubuntu 8.10 and 9.04 were affected. (CVE-2009-1072)

Dan Carpenter discovered that SELinux did not correctly handle certain network checks when running with compat_net=1. A local attacker could exploit this to bypass network checks. Default Ubuntu installations do not enable SELinux, and only Ubuntu 8.10 and 9.04 were affected.
(CVE-2009-1184)

Shaohua Li discovered that memory was not correctly initialized in the AGP subsystem. A local attacker could potentially read kernel memory, leading to a loss of privacy. (CVE-2009-1192)

Benjamin Gilbert discovered that the VMX implementation of KVM did not correctly handle certain registers. An attacker in a guest VM could exploit this to cause a host system crash, leading to a denial of service. This only affected 32bit hosts. Ubuntu 6.06 was not affected.
(CVE-2009-1242)

Thomas Pollet discovered that the Amateur Radio X.25 Packet Layer Protocol did not correctly validate certain fields. A remote attacker could exploit this to read kernel memory, leading to a loss of privacy. (CVE-2009-1265)

Trond Myklebust discovered that NFS did not correctly handle certain long filenames. An authenticated remote attacker could exploit this to cause a system crash, leading to a denial of service. Only Ubuntu 6.06 was affected. (CVE-2009-1336)

Oleg Nesterov discovered that the kernel did not correctly handle CAP_KILL. A local user could exploit this to send signals to arbitrary processes, leading to a denial of service. (CVE-2009-1337)

Daniel Hokka Zakrisson discovered that signal handling was not correctly limited to process namespaces. A local user could bypass namespace restrictions, possibly leading to a denial of service. Only Ubuntu 8.04 was affected. (CVE-2009-1338)

Pavel Emelyanov discovered that network namespace support for IPv6 was not correctly handled. A remote attacker could send specially crafted IPv6 traffic that would cause a system crash, leading to a denial of service. Only Ubuntu 8.10 and 9.04 were affected. (CVE-2009-1360)

Neil Horman discovered that the e1000 network driver did not correctly validate certain fields. A remote attacker could send a specially crafted packet that would cause a system crash, leading to a denial of service. (CVE-2009-1385)

Pavan Naregundi discovered that CIFS did not correctly check lengths when handling certain mount requests. A remote attacker could send specially crafted traffic to cause a system crash, leading to a denial of service. (CVE-2009-1439)

Simon Vallet and Frank Filz discovered that execute permissions were not correctly handled by NFSv4. A local user could bypass permissions and run restricted programs, possibly leading to an escalation of privileges. (CVE-2009-1630)

Jeff Layton and Suresh Jayaraman discovered buffer overflows in the CIFS client code. A malicious remote server could exploit this to cause a system crash or execute arbitrary code as root.
(CVE-2009-1633)

Mikulas Patocka discovered that /proc/iomem was not correctly initialized on Sparc. A local attacker could use this file to crash the system, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-1914)

Miklos Szeredi discovered that OCFS2 did not correctly handle certain splice operations. A local attacker could exploit this to cause a system hang, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-1961).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated packages fix the following security issues :

* a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service.
(CVE-2009-1385, Important)

* the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate)

* Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate)

* a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel.
(CVE-2009-1758, Moderate)

* a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak.
(CVE-2009-1192, Low)

These updated packages also fix the following bugs :

* '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps, making it possible to bypass the Address Space Layout Randomization (ASLR) security feature. This update addresses this issue. (BZ#499549)

* in some situations, the link count was not decreased when renaming unused files on NFS mounted file systems. This may have resulted in poor performance. With this update, the link count is decreased in these situations, the same as is done for other file operations, such as unlink and rmdir. (BZ#501802)

* tcp_ack() cleared the probes_out variable even if there were outstanding packets. When low TCP keepalive intervals were used, this bug may have caused problems, such as connections terminating, when using remote tools such as rsh and rlogin. (BZ#501754)

* off-by-one errors in the time normalization code could have caused clock_gettime() to return one billion nanoseconds, rather than adding an extra second. This bug could have caused the name service cache daemon (nscd) to consume excessive CPU resources. (BZ#501800)

* a system panic could occur when one thread read '/proc/bus/input/devices' while another was removing a device. With this update, a mutex has been added to protect the input_dev_list and input_handler_list variables, which resolves this issue. (BZ#501804)

* using netdump may have caused a kernel deadlock on some systems.
(BZ#504565)

* the file system mask, which lists capabilities for users with a file system user ID (fsuid) of 0, was missing the CAP_MKNOD and CAP_LINUX_IMMUTABLE capabilities. This could, potentially, allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. This update adds these capabilities. (BZ#497269)

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.
Note: The system must be rebooted for this update to take effect.

This kernel update for openSUSE 10.3 fixes some bugs and several security problems.

The following security issues are fixed: A local denial of service problem in the splice(2) system call.

CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

CVE-2009-1072: nfsd in the Linux kernel did not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-0835 The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod.

CVE-2009-1439: Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) or potential code execution via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

CVE-2009-1337: The exit_notify function in kernel/exit.c in the Linux kernel did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.

CVE-2009-0859: The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program. (SUSE is enabling CONFIG_SHMEM, so is by default not affected, the fix is just for completeness).

CVE-2009-1265: Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel might allow attackers to obtain sensitive information via a large length value, which causes 'garbage' memory to be sent.

CVE-2009-0028: The clone system call in the Linux kernel allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.

CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.

CVE-2009-0322: drivers/firmware/dell_rbu.c in the Linux kernel allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.

CVE-2009-0269: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.

CVE-2009-0065: Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.

CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

CVE-2008-4554: The do_splice_from function in fs/splice.c in the Linux kernel does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.

Some other non-security bugs were fixed, please see the RPM changelog.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a sensitive memory leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0028     Chris Evans discovered a situation in which a child     process can send an arbitrary signal to its parent.

  - CVE-2009-0834     Roland McGrath discovered an issue on amd64 kernels that     allows local users to circumvent system call audit     configurations which filter based on the syscall numbers     or argument details.

  - CVE-2009-0835     Roland McGrath discovered an issue on amd64 kernels with     CONFIG_SECCOMP enabled. By making a specially crafted     syscall, local users can bypass access restrictions.

  - CVE-2009-0859     Jiri Olsa discovered that a local user can cause a     denial of service (system hang) using a SHM_INFO shmctl     call on kernels compiled with CONFIG_SHMEM disabled.
    This issue does not affect prebuilt Debian kernels.

  - CVE-2009-1046     Mikulas Patocka reported an issue in the console     subsystem that allows a local user to cause memory     corruption by selecting a small number of 3-byte UTF-8     characters.

  - CVE-2009-1072     Igor Zhbanov reported that nfsd was not properly     dropping CAP_MKNOD, allowing users to create device     nodes on file systems exported with root_squash.

  - CVE-2009-1184     Dan Carpenter reported a coding issue in the selinux     subsystem that allows local users to bypass certain     networking checks when running with compat_net=1.

  - CVE-2009-1192     Shaohua Li reported an issue in the AGP subsystem they     may allow local users to read sensitive kernel memory     due to a leak of uninitialized memory.

  - CVE-2009-1242     Benjamin Gilbert reported a local denial of service     vulnerability in the KVM VMX implementation that allows     local users to trigger an oops.

  - CVE-2009-1265     Thomas Pollet reported an overflow in the af_rose     implementation that allows remote attackers to retrieve     uninitialized kernel memory that may contain sensitive     data.

  - CVE-2009-1337     Oleg Nesterov discovered an issue in the exit_notify     function that allows local users to send an arbitrary     signal to a process by running a program that modifies     the exit_signal field and then uses an exec system call     to launch a setuid application.

  - CVE-2009-1338     Daniel Hokka Zakrisson discovered that a kill(-1) is     permitted to reach processes outside of the current     process namespace.

  - CVE-2009-1439     Pavan Naregundi reported an issue in the CIFS filesystem     code that allows remote users to overwrite memory via a     long nativeFileSystem field in a Tree Connect response     during mount.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-1106.

ID	Name	Product	Family	Severity
89117	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)	Nessus	Misc.	critical
79460	OracleVM 2.1 : kernel (OVMSA-2009-0014)	Nessus	OracleVM Local Security Checks	high
67884	Oracle Linux 4 : kernel (ELSA-2009-1132)	Nessus	Oracle Linux Local Security Checks	high
67874	Oracle Linux 5 : kernel (ELSA-2009-1106)	Nessus	Oracle Linux Local Security Checks	high
60609	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60599	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
59137	SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 6236)	Nessus	SuSE Local Security Checks	high
43757	CentOS 5 : kernel (CESA-2009:1106)	Nessus	CentOS Local Security Checks	high
42870	VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	Nessus	VMware ESX Local Security Checks	medium
41539	SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 6237)	Nessus	SuSE Local Security Checks	high
41410	SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 713 / 715 / 716)	Nessus	SuSE Local Security Checks	medium
40249	openSUSE Security Update : kernel (kernel-733)	Nessus	SuSE Local Security Checks	medium
40012	openSUSE Security Update : kernel (kernel-951)	Nessus	SuSE Local Security Checks	critical
39586	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-793-1)	Nessus	Ubuntu Local Security Checks	high
39583	RHEL 4 : kernel (RHSA-2009:1132)	Nessus	Red Hat Local Security Checks	high
39430	RHEL 5 : kernel (RHSA-2009:1106)	Nessus	Red Hat Local Security Checks	high
39335	openSUSE 10 Security Update : kernel (kernel-6274)	Nessus	SuSE Local Security Checks	critical
38795	Debian DSA-1800-1 : linux-2.6 - denial of service/privilege escalation/sensitive memory leak	Nessus	Debian Local Security Checks	high
801470	CentOS RHSA-2009-1106 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2009-1072

medium

Tenable Plugins

critical

high

high

high

high

high

high

high

medium

high

medium

medium

critical

high

high

high

critical

high

high