SUSE-SA:2011:005

42372

42789

43056

46397

RHSA-2011:0004

20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console

45039

1024786

http://www.vmware.com/security/advisories/VMSA-2011-0012.html

ADV-2011-0024

ADV-2011-0213

http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/59f097ef181b

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities in several third-party components and libraries :

  - Kernel
  - krb5
  - glibc
  - mtp2sas
  - mptsas
  - mptspi

The openSUSE 11.3 kernel was updated to 2.6.34.8 to fix various bugs and security issues.

Following security issues have been fixed: CVE-2011-1493: In the rose networking stack, when parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure.

CVE-2011-1182: Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.

CVE-2011-1082: The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).

CVE-2011-1478: An issue in the core GRO code where an skb belonging to an unknown VLAN is reused could result in a NULL pointer dereference.

CVE-2011-1163: The code for evaluating OSF partitions (in fs/partitions/osf.c) contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions.

CVE-2011-1012: The code for evaluating LDM partitions (in fs/partitions/ldm.c) contained a bug that could crash the kernel for certain corrupted LDM partitions.

CVE-2011-1010: The code for evaluating Mac partitions (in fs/partitions/mac.c) contained a bug that could crash the kernel for certain corrupted Mac partitions.

CVE-2011-1476: Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. On x86, this just returns an error, but it could have caused memory corruption on other architectures. Other malformed requests could have resulted in the use of uninitialized variables.

CVE-2011-1477: Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation.

CVE-2011-0191: A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information.

CVE-2011-1090: A page allocator issue in NFS v4 ACL handling that could lead to a denial of service (crash) was fixed.

CVE-2010-3880: net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions.

CVE-2010-4656: Fixed a buffer size issue in 'usb iowarrior' module, where a malicious device could overflow a kernel buffer.

CVE-2011-0521: The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.

CVE-2010-3875: The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

CVE-2010-3876: net/packet/af_packet.c in the Linux kernel did not properly initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.

CVE-2010-3877: The get_name function in net/tipc/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

CVE-2010-3705: The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel did not properly validate the hmac_ids array of an SCTP peer, which allowed remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.

CVE-2011-0711: A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed.

CVE-2011-0712: Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.

CVE-2010-4525: Linux kernel did not initialize the kvm_vcpu_events->interrupt.pad structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via unspecified vectors.

CVE-2010-3881: arch/x86/kvm/x86.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device.

CVE-2010-4075: The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-4076: The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-4077: The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-4248: Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel allowed local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c.

CVE-2010-4243: fs/exec.c in the Linux kernel did not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an 'OOM dodging issue,' a related issue to CVE-2010-3858.

CVE-2010-4251: A system out of memory condition (denial of service) could be triggered with a large socket backlog, exploitable by local users. This has been addressed by backlog limiting.

CVE-2010-4648: Fixed cryptographic weakness potentially leaking information to remote (but physically nearby) users in the orinoco wireless driver.

CVE-2010-4527: The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel incorrectly expected that a certain name field ends with a '\0' character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call.

CVE-2010-4668: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel allowed local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163.

CVE-2010-4650: A kernel buffer overflow in the cuse server module was fixed, which might have allowed local privilege escalation. However only CUSE servers could exploit it and /dev/cuse is normally restricted to root.

CVE-2010-4649: Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.

CVE-2010-4250: A memory leak within inotify could be used by local attackers to cause the machine to run out of memory (denial of service).

CVE-2010-4346: The install_special_mapping function in mm/mmap.c in the Linux kernel did not make an expected security_file_mmap function call, which allowed local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application.

CVE-2010-4529: Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel on platforms other than x86 allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.

CVE-2010-4342: The aun_incoming function in net/econet/af_econet.c in the Linux kernel, when Econet is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP.

CVE-2010-3849: The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel, when an econet address is configured, allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field.

CVE-2010-3848: Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel when an econet address is configured, allowed local users to gain privileges by providing a large number of iovec structures.

CVE-2010-3850: The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel did not require the CAP_NET_ADMIN capability, which allowed local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.

CVE-2010-4343: drivers/scsi/bfa/bfa_core.c in the Linux kernel did not initialize a certain port data structure, which allows local users to cause a denial of service (system crash) via read operations on an fc_host statistics file.

CVE-2010-3699: The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak, which prevents the device and guest OS from being shut down or create a zombie domain, causes a hang in zenwatch, or prevents unspecified xm commands from working properly, related to (1) netback, (2) blkback, or (3) blktap.

From Red Hat Security Advisory 2011:0004 :

Updated kernel packages that fix multiple security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in sctp_packet_config() in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service.
(CVE-2010-3432, Important)

* A missing integer overflow check was found in snd_ctl_new() in the Linux kernel's sound subsystem. A local, unprivileged user on a 32-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important)

* A heap overflow flaw in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3859, Important)

* An integer overflow flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important)

* A flaw was found in the Xenbus code for the unified block-device I/O interface back end. A privileged guest user could use this flaw to cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-3699, Moderate)

* Missing sanity checks were found in setup_arg_pages() in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON(), resulting in a local denial of service. (CVE-2010-3858, Moderate)

* A flaw was found in inet_csk_diag_dump() in the Linux kernel's module for monitoring the sockets of INET transport protocols. By sending a netlink message with certain bytecode, a local, unprivileged user could cause a denial of service. (CVE-2010-3880, Moderate)

* Missing sanity checks were found in gdth_ioctl_alloc() in the gdth driver in the Linux kernel. A local user with access to '/dev/gdth' on a 64-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-4157, Moderate)

* The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243 introduced a regression. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4161, Moderate)

* A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4242, Moderate)

* It was found that a malicious guest running on the Xen hypervisor could place invalid data in the memory that the guest shared with the blkback and blktap back-end drivers, resulting in a denial of service on the host system. (CVE-2010-4247, Moderate)

* A flaw was found in the Linux kernel's CPU time clocks implementation for the POSIX clock interface. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4248, Moderate)

* Missing initialization flaws in the Linux kernel could lead to information leaks. (CVE-2010-3876, CVE-2010-4083, Low)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442, CVE-2010-4161, and CVE-2010-4083; Thomas Pollet for reporting CVE-2010-3865; Brad Spengler for reporting CVE-2010-3858; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; and Vasiliy Kulikov for reporting CVE-2010-3876.

This update also fixes several bugs and adds an enhancement.
Documentation for the bug fixes and the enhancement will be available shortly from the Technical Notes document, linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

This update fixes the following security issues :

  - A flaw was found in sctp_packet_config() in the Linux     kernel's Stream Control Transmission Protocol (SCTP)     implementation. A remote attacker could use this flaw to     cause a denial of service. (CVE-2010-3432, Important)

  - A missing integer overflow check was found in     snd_ctl_new() in the Linux kernel's sound subsystem. A     local, unprivileged user on a 32-bit system could use     this flaw to cause a denial of service or escalate their     privileges. (CVE-2010-3442, Important)

  - A heap overflow flaw in the Linux kernel's Transparent     Inter-Process Communication protocol (TIPC)     implementation could allow a local, unprivileged user to     escalate their privileges. (CVE-2010-3859, Important)

  - An integer overflow flaw was found in the Linux kernel's     Reliable Datagram Sockets (RDS) protocol implementation.
    A local, unprivileged user could use this flaw to cause     a denial of service or escalate their privileges.
    (CVE-2010-3865, Important)

  - A flaw was found in the Xenbus code for the unified     block-device I/O interface back end. A privileged guest     user could use this flaw to cause a denial of service on     the host system running the Xen hypervisor.
    (CVE-2010-3699, Moderate)

  - Missing sanity checks were found in setup_arg_pages() in     the Linux kernel. When making the size of the argument     and environment area on the stack very large, it could     trigger a BUG_ON(), resulting in a local denial of     service. (CVE-2010-3858, Moderate)

  - A flaw was found in inet_csk_diag_dump() in the Linux     kernel's module for monitoring the sockets of INET     transport protocols. By sending a netlink message with     certain bytecode, a local, unprivileged user could cause     a denial of service. (CVE-2010-3880, Moderate)

  - Missing sanity checks were found in gdth_ioctl_alloc()     in the gdth driver in the Linux kernel. A local user     with access to '/dev/gdth' on a 64-bit system could use     this flaw to cause a denial of service or escalate their     privileges. (CVE-2010-4157, Moderate)

  - The fix put into kernel-2.6.18-164.el5 introduced a     regression. A local, unprivileged user could use this     flaw to cause a denial of service. (CVE-2010-4161,     Moderate)

  - A NULL pointer dereference flaw was found in the     Bluetooth HCI UART driver in the Linux kernel. A local,     unprivileged user could use this flaw to cause a denial     of service. (CVE-2010-4242, Moderate)

  - It was found that a malicious guest running on the Xen     hypervisor could place invalid data in the memory that     the guest shared with the blkback and blktap back-end     drivers, resulting in a denial of service on the host     system. (CVE-2010-4247, Moderate)

  - A flaw was found in the Linux kernel's CPU time clocks     implementation for the POSIX clock interface. A local,     unprivileged user could use this flaw to cause a denial     of service. (CVE-2010-4248, Moderate)

  - Missing initialization flaws in the Linux kernel could     lead to information leaks. (CVE-2010-3876,     CVE-2010-4083, Low)

This update also fixes several bugs and adds an enhancement.

The system must be rebooted for this update to take effect.

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs.

The following security issues were fixed :

  - A local attacker could use a Oops (kernel crash) caused     by other flaws to write a 0 byte to a attacker     controlled address in the kernel. This could lead to     privilege escalation together with other issues.
    (CVE-2010-4258)

  - The backend driver in Xen 3.x allows guest OS users to     cause a denial of service via a kernel thread leak,     which prevents the device and guest OS from being shut     down or create a zombie domain, causes a hang in     zenwatch, or prevents unspecified xm commands from     working properly, related to (1) netback, (2) blkback,     or (3) blktap. (CVE-2010-3699)

  - The econet_sendmsg function in net/econet/af_econet.c in     the Linux kernel, when an econet address is configured,     allowed local users to cause a denial of service (NULL     pointer dereference and OOPS) via a sendmsg call that     specifies a NULL value for the remote address field.
    (CVE-2010-3849)

  - Stack-based buffer overflow in the econet_sendmsg     function in net/econet/af_econet.c in the Linux kernel     when an econet address is configured, allowed local     users to gain privileges by providing a large number of     iovec structures. (CVE-2010-3848)

  - The ec_dev_ioctl function in net/econet/af_econet.c in     the Linux kernel did not require the CAP_NET_ADMIN     capability, which allowed local users to bypass intended     access restrictions and configure econet addresses via     an SIOCSIFADDR ioctl call. (CVE-2010-3850)

  - A overflow in sendto() and recvfrom() routines was fixed     that could be used by local attackers to potentially     crash the kernel using some socket families like L2TP.
    (CVE-2010-4160)

a. ESX third-party update for Service Console kernel

   This update takes the console OS kernel package to    kernel-2.6.18-238.9.1 which resolves multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798,    CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015,    CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086,    CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477,    CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865,    CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904,    CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080,    CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158,    CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243,    CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251,    CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346,    CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710,    CVE-2011-1010, CVE-2011-1090 and CVE-2011-1478 to these issues.

b. ESX third-party update for Service Console krb5 RPMs

   This patch updates the krb5-libs and krb5-workstation RPMs of the    console OS to version 1.6.1-55.el5_6.1, which resolves multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-1323, CVE-2011-0281, and CVE-2011-0282    to these issues.

c. ESXi and ESX update to third-party component glibc

   The glibc third-party library is updated to resolve multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-0296, CVE-2011-0536, CVE-2011-1071,    CVE-2011-1095, CVE-2011-1658, and CVE-2011-1659 to these issues.

d. ESX update to third-party drivers mptsas, mpt2sas, and mptspi

   The mptsas, mpt2sas, and mptspi drivers are updated which addresses    multiple security issues in the mpt2sas driver.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2011-1494 and CVE-2011-1495 to these issues.

This update of the openSUSE 11.2 kernel fixes lots of security issues.

Following security issues were fixed: CVE-2011-1493: In the rose networking stack, when parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure.

CVE-2011-1182: Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.

CVE-2011-1082: The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).

CVE-2011-1163: The code for evaluating OSF partitions (in fs/partitions/osf.c) contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions.

CVE-2011-1012: The code for evaluating LDM partitions (in fs/partitions/ldm.c) contained a bug that could crash the kernel for certain corrupted LDM partitions.

CVE-2011-1010: The code for evaluating Mac partitions (in fs/partitions/mac.c) contained a bug that could crash the kernel for certain corrupted Mac partitions.

CVE-2011-1476: Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. On x86, this just returns an error, but it could have caused memory corruption on other architectures. Other malformed requests could have resulted in the use of uninitialized variables.

CVE-2011-1477: Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation.

CVE-2011-1090: A page allocator issue in NFS v4 ACL handling that could lead to a denial of service (crash) was fixed.

CVE-2010-3880: net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions.

CVE-2011-0521: The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.

CVE-2010-3875: The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

CVE-2010-3876: net/packet/af_packet.c in the Linux kernel did not properly initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.

CVE-2010-3877: The get_name function in net/tipc/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

CVE-2010-3705: The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel did not properly validate the hmac_ids array of an SCTP peer, which allowed remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.

CVE-2011-0711: A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed.

CVE-2011-0712: Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.

CVE-2010-1173: The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel, when SCTP is enabled, allowed remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.

CVE-2010-4075: The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-4076: The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-4077: The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-4248: Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel allowed local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c.

CVE-2010-4243: fs/exec.c in the Linux kernel did not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an 'OOM dodging issue,' a related issue to CVE-2010-3858.

CVE-2010-4648: Fixed cryptographic weakness potentially leaking information to remote (but physically nearby) users in the orinoco wireless driver.

CVE-2010-4527: The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel incorrectly expected that a certain name field ends with a '\0' character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call.

CVE-2010-4668: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel allowed local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163.

CVE-2010-4650: A kernel buffer overflow in the cuse server module was fixed, which might have allowed local privilege escalation. However only CUSE servers could exploit it and /dev/cuse is normally restricted to root.

CVE-2010-4649: Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.

CVE-2010-4346: The install_special_mapping function in mm/mmap.c in the Linux kernel did not make an expected security_file_mmap function call, which allowed local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application.

CVE-2010-4529: Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel on platforms other than x86 allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.

CVE-2010-4342: The aun_incoming function in net/econet/af_econet.c in the Linux kernel, when Econet is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP.

CVE-2010-3849: The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel, when an econet address is configured, allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field.

CVE-2010-3848: Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel when an econet address is configured, allowed local users to gain privileges by providing a large number of iovec structures.

CVE-2010-3850: The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel did not require the CAP_NET_ADMIN capability, which allowed local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.

CVE-2010-3699: The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak, which prevents the device and guest OS from being shut down or create a zombie domain, causes a hang in zenwatch, or prevents unspecified xm commands from working properly, related to (1) netback, (2) blkback, or (3) blktap.

CVE-2010-4073: The ipc subsystem in the Linux kernel did not initialize certain structures, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.

CVE-2010-4072: The copy_shmid_to_user function in ipc/shm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the 'old shm interface.'

CVE-2010-4083: The copy_semid_to_user function in ipc/sem.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.29 and fixes various bugs and security issues.

  - The ax25_getname function in net/ax25/af_ax25.c in the     Linux kernel did not initialize a certain structure,     which allowed local users to obtain potentially     sensitive information from kernel stack memory by     reading a copy of this structure. (CVE-2010-3875)

  - net/packet/af_packet.c in the Linux kernel did not     properly initialize certain structure members, which     allowed local users to obtain potentially sensitive     information from kernel stack memory by leveraging the     CAP_NET_RAW capability to read copies of the applicable     structures. (CVE-2010-3876)

  - The get_name function in net/tipc/socket.c in the Linux     kernel did not initialize a certain structure, which     allowed local users to obtain potentially sensitive     information from kernel stack memory by reading a copy     of this structure. (CVE-2010-3877)

  - The sctp_auth_asoc_get_hmac function in net/sctp/auth.c     in the Linux kernel did not properly validate the     hmac_ids array of an SCTP peer, which allowed remote     attackers to cause a denial of service (memory     corruption and panic) via a crafted value in the last     element of this array. (CVE-2010-3705)

  - A stack memory information leak in the xfs FSGEOMETRY_V1     ioctl was fixed. (CVE-2011-0711)

  - Multiple buffer overflows in the caiaq Native     Instruments USB audio functionality in the Linux kernel     might have allowed attackers to cause a denial of     service or possibly have unspecified other impact via a     long USB device name, related to (1) the     snd_usb_caiaq_audio_init function in     sound/usb/caiaq/audio.c and (2) the     snd_usb_caiaq_midi_init function in     sound/usb/caiaq/midi.c. (CVE-2011-0712)

  - The task_show_regs function in arch/s390/kernel/traps.c     in the Linux kernel on the s390 platform allowed local     users to obtain the values of the registers of an     arbitrary process by reading a status file under /proc/.
    (CVE-2011-0710)

  - The xfs implementation in the Linux kernel did not look     up inode allocation btrees before reading inode buffers,     which allowed remote authenticated users to read     unlinked files, or read or overwrite disk blocks that     are currently assigned to an active file but were     previously assigned to an unlinked file, by accessing a     stale NFS filehandle. (CVE-2010-2943)

  - The uart_get_count function in     drivers/serial/serial_core.c in the Linux kernel did not     properly initialize a certain structure member, which     allowed local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call. (CVE-2010-4075)

  - The rs_ioctl function in drivers/char/amiserial.c in the     Linux kernel did not properly initialize a certain     structure member, which allowed local users to obtain     potentially sensitive information from kernel stack     memory via a TIOCGICOUNT ioctl call. (CVE-2010-4076)

  - The ntty_ioctl_tiocgicount function in     drivers/char/nozomi.c in the Linux kernel did not     properly initialize a certain structure member, which     allowed local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call. (CVE-2010-4077)

  - fs/exec.c in the Linux kernel did not enable the OOM     Killer to assess use of stack memory by arrays     representing the (1) arguments and (2) environment,     which allows local users to cause a denial of service     (memory consumption) via a crafted exec system call, aka     an OOM dodging issue, a related issue to CVE-2010-3858.
    (CVE-2010-4243)

  - The blk_rq_map_user_iov function in block/blk-map.c in     the Linux kernel allowed local users to cause a denial     of service (panic) via a zero-length I/O request in a     device ioctl to a SCSI device, related to an unaligned     map. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2010-4163. (CVE-2010-4668)

  - Integer underflow in the irda_getsockopt function in     net/irda/af_irda.c in the Linux kernel on platforms     other than x86 allowed local users to obtain potentially     sensitive information from kernel heap memory via an     IRLMP_ENUMDEVICES getsockopt call. (CVE-2010-4529)

  - The aun_incoming function in net/econet/af_econet.c in     the Linux kernel, when Econet is enabled, allows remote     attackers to cause a denial of service (NULL pointer     dereference and OOPS) by sending an Acorn Universal     Networking (AUN) packet over UDP. (CVE-2010-4342)

  - The backend driver in Xen 3.x allowed guest OS users to     cause a denial of service via a kernel thread leak,     which prevented the device and guest OS from being shut     down or create a zombie domain, causing a hang in     zenwatch, or preventing unspecified xm commands from     working properly, related to (1) netback, (2) blkback,     or (3) blktap. (CVE-2010-3699)

  - The install_special_mapping function in mm/mmap.c in the     Linux kernel did not make an expected security_file_mmap     function call, which allows local users to bypass     intended mmap_min_addr restrictions and possibly conduct     NULL pointer dereference attacks via a crafted     assembly-language application. (CVE-2010-4346)

  - Fixed a verify_ioctl overflow in 'cuse' in the fuse     filesystem. The code should only be called by root users     though. (CVE-2010-4650)

  - Race condition in the sctp_icmp_proto_unreachable     function in net/sctp/input.c in the Linux kernel allowed     remote attackers to cause a denial of service (panic)     via an ICMP unreachable message to a socket that is     already locked by a user, which causes the socket to be     freed and triggers list corruption, related to the     sctp_wait_for_connect function. (CVE-2010-4526)

  - The load_mixer_volumes function in sound/oss/soundcard.c     in the OSS sound subsystem in the Linux kernel     incorrectly expected that a certain name field ends with     a '0' character, which allowed local users to conduct     buffer overflow attacks and gain privileges, or possibly     obtain sensitive information from kernel memory, via a     SOUND_MIXER_SETLEVELS ioctl call. (CVE-2010-4527)

  - Fixed a LSM bug in IMA (Integrity Measuring     Architecture). IMA is not enabled in SUSE kernels, so we     were not affected. (CVE-2011-0006)

Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435)

Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy.
(CVE-2010-2943)

Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)

Dan Jacobson discovered that ThinkPad video output was not correctly access controlled. A local attacker could exploit this to hang the system, leading to a denial of service. (CVE-2010-3448)

It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698)

It was discovered that Xen did not correctly clean up threads. A local attacker in a guest system could exploit this to exhaust host system resources, leading to a denial of serivce. (CVE-2010-3699)

Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858)

Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)

Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873)

Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3875)

Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)

Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3877)

Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)

Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4072)

Dan Rosenberg discovered that the USB subsystem did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4074)

Dan Rosenberg discovered that the SiS video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4078)

Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4079)

Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081)

Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)

James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157)

Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges.
(CVE-2010-4160)

It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2010-0435     Gleb Napatov reported an issue in the KVM subsystem that     allows virtual machines to cause a denial of service of     the host machine by executing mov to/from DR     instructions.

  - CVE-2010-3699     Keir Fraser provided a fix for an issue in the Xen     subsystem. A guest can cause a denial of service on the     host by retaining a leaked reference to a device. This     can result in a zombie domain, xenwatch process hangs,     and xm command failures.

  - CVE-2010-4158     Dan Rosenberg discovered an issue in the socket filters     subsystem, allowing local unprivileged users to obtain     the contents of sensitive kernel memory.

  - CVE-2010-4162     Dan Rosenberg discovered an overflow issue in the block     I/O subsystem that allows local users to map large     numbers of pages, resulting in a denial of service due     to invocation of the out of memory killer.

  - CVE-2010-4163     Dan Rosenberg discovered an issue in the block I/O     subsystem. Due to improper validation of iov segments,     local users can trigger a kernel panic resulting in a     denial of service.

  - CVE-2010-4242     Alan Cox reported an issue in the Bluetooth subsystem.
    Local users with sufficient permission to access HCI     UART devices can cause a denial of service (NULL pointer     dereference) due to a missing check for an existing tty     write operation.

  - CVE-2010-4243     Brad Spengler reported a denial-of-service issue in the     kernel memory accounting system. By passing large     argv/envp values to exec, local users can cause the out     of memory killer to kill processes owned by other users.

  - CVE-2010-4248     Oleg Nesterov reported an issue in the POSIX CPU timers     subsystem. Local users can cause a denial of service     (Oops) due to incorrect assumptions about thread group     leader behavior.

  - CVE-2010-4249     Vegard Nossum reported an issue with the UNIX socket     garbage collector. Local users can consume all of LOWMEM     and decrease system performance by overloading the     system with inflight sockets.

  - CVE-2010-4258     Nelson Elhage reported an issue in Linux oops handling.
    Local users may be able to obtain elevated privileges if     they are able to trigger an oops with a process' fs set     to KERNEL_DS.

  - CVE-2010-4342     Nelson Elhage reported an issue in the Econet protocol.
    Remote attackers can cause a denial of service by     sending an Acorn Universal Networking packet over UDP.

  - CVE-2010-4346     Tavis Ormandy discovered an issue in the     install_special_mapping routine which allows local users     to bypass the mmap_min_addr security restriction.
    Combined with an otherwise low severity local denial of     service vulnerability (NULL pointer dereference), a     local user could obtain elevated privileges.

  - CVE-2010-4526     Eugene Teo reported a race condition in the Linux SCTP     implementation. Remote users can cause a denial of     service (kernel memory corruption) by transmitting an     ICMP unreachable message to a locked socket.

  - CVE-2010-4527     Dan Rosenberg reported two issues in the OSS soundcard     driver. Local users with access to the device (members     of group 'audio' on default Debian installations) may     access to sensitive kernel memory or cause a buffer     overflow, potentially leading to an escalation of     privileges.

  - CVE-2010-4529     Dan Rosenberg reported an issue in the Linux kernel IrDA     socket implementation on non-x86 architectures. Local     users may be able to gain access to sensitive kernel     memory via a specially crafted IRLMP_ENUMDEVICES     getsockopt call.

  - CVE-2010-4565     Dan Rosenberg reported an issue in the Linux CAN     protocol implementation. Local users can obtain the     address of a kernel heap object which might help     facilitate system exploitation.

  - CVE-2010-4649     Dan Carpenter reported an issue in the uverb handling of     the InfiniBand subsystem. A potential buffer overflow     may allow local users to cause a denial of service     (memory corruption) by passing in a large cmd.ne value.

  - CVE-2010-4656     Kees Cook reported an issue in the driver for     I/O-Warrior USB devices. Local users with access to     these devices may be able to overrun kernel buffers,     resulting in a denial of service or privilege     escalation.

  - CVE-2010-4668     Dan Rosenberg reported an issue in the block subsystem.
    A local user can cause a denial of service (kernel     panic) by submitting certain 0-length I/O requests.

  - CVE-2011-0521     Dan Carpenter reported an issue in the DVB driver for     AV7110 cards. Local users can pass a negative info->num     value, corrupting kernel memory and causing a denial of     service.

Updated kernel packages that fix multiple security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in sctp_packet_config() in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service.
(CVE-2010-3432, Important)

* A missing integer overflow check was found in snd_ctl_new() in the Linux kernel's sound subsystem. A local, unprivileged user on a 32-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important)

* A heap overflow flaw in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3859, Important)

* An integer overflow flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important)

* A flaw was found in the Xenbus code for the unified block-device I/O interface back end. A privileged guest user could use this flaw to cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-3699, Moderate)

* Missing sanity checks were found in setup_arg_pages() in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON(), resulting in a local denial of service. (CVE-2010-3858, Moderate)

* A flaw was found in inet_csk_diag_dump() in the Linux kernel's module for monitoring the sockets of INET transport protocols. By sending a netlink message with certain bytecode, a local, unprivileged user could cause a denial of service. (CVE-2010-3880, Moderate)

* Missing sanity checks were found in gdth_ioctl_alloc() in the gdth driver in the Linux kernel. A local user with access to '/dev/gdth' on a 64-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-4157, Moderate)

* The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243 introduced a regression. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4161, Moderate)

* A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4242, Moderate)

* It was found that a malicious guest running on the Xen hypervisor could place invalid data in the memory that the guest shared with the blkback and blktap back-end drivers, resulting in a denial of service on the host system. (CVE-2010-4247, Moderate)

* A flaw was found in the Linux kernel's CPU time clocks implementation for the POSIX clock interface. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4248, Moderate)

* Missing initialization flaws in the Linux kernel could lead to information leaks. (CVE-2010-3876, CVE-2010-4083, Low)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442, CVE-2010-4161, and CVE-2010-4083; Thomas Pollet for reporting CVE-2010-3865; Brad Spengler for reporting CVE-2010-3858; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; and Vasiliy Kulikov for reporting CVE-2010-3876.

This update also fixes several bugs and adds an enhancement.
Documentation for the bug fixes and the enhancement will be available shortly from the Technical Notes document, linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2011-0004.

ID	Name	Product	Family	Severity
89680	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0012) (remote check)	Nessus	Misc.	high
75554	openSUSE Security Update : kernel (openSUSE-SU-2011:0399-1)	Nessus	SuSE Local Security Checks	high
68176	Oracle Linux 5 : kernel (ELSA-2011-0004)	Nessus	Oracle Linux Local Security Checks	high
60929	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
59154	SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7304)	Nessus	SuSE Local Security Checks	medium
56508	VMSA-2011-0012 : VMware ESXi and ESX updates to third-party libraries and ESX Service Console	Nessus	VMware ESX Local Security Checks	high
53740	openSUSE Security Update : kernel (openSUSE-SU-2011:0346-1)	Nessus	SuSE Local Security Checks	high
52597	SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4039 / 4042 / 4043)	Nessus	SuSE Local Security Checks	high
52475	Ubuntu 8.04 LTS : linux vulnerabilities (USN-1072-1)	Nessus	Ubuntu Local Security Checks	high
51818	Debian DSA-2153-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	high
51752	SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7303)	Nessus	SuSE Local Security Checks	medium
51426	CentOS 5 : kernel (CESA-2011:0004)	Nessus	CentOS Local Security Checks	high
51417	RHEL 5 : kernel (RHSA-2011:0004)	Nessus	Red Hat Local Security Checks	high
801502	CentOS RHSA-2011-0004 Security Check	Log Correlation Engine	Generic	high

CVE-2010-3699

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins