https://bugzilla.redhat.com/show_bug.cgi?id=736425

https://oss.oracle.com/git/?p=redpatch.git;a=commit;h=fadca7bdc43b02f518585d9547019966415cadfd

An updated rhev-hypervisor package that fixes several security issues is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

The RHBA-2011:1254 update introduced a regression in the Linux kernel's Ethernet bridge implementation. If a system had an interface in a bridge, and an attacker on the local network could send packets to that interface, they could cause a denial of service on that system. (CVE-2011-2942)

A flaw in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it.
(CVE-2011-2723)

The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188)

Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.
(CVE-2011-3347)

Red Hat would like to thank Brent Meshier for reporting CVE-2011-2723;
Dan Kaminsky for reporting CVE-2011-3188; and Somnath Kotur for reporting CVE-2011-3347.

This updated package provides updated components that include fixes for numerous security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however.

The security fixes included in this update address the following CVE numbers :

CVE-2011-2695, CVE-2011-2699, CVE-2011-3191, CVE-2011-1833, CVE-2011-2496, CVE-2011-3209, CVE-2011-2484, CVE-2011-3131, CVE-2009-4067, CVE-2011-1160, and CVE-2011-1585 (kernel issues)

CVE-2011-3378 (rpm issues)

Users of Red Hat Enterprise Virtualization Hypervisor should upgrade to this updated package, which resolves these issues.

This kernel update of the openSUSE 12.1 kernel brings various bug and security fixes.

Following issues were fixed :

  - tcp: drop SYN+FIN messages (bnc#765102, CVE-2012-2663).

  - net: sock: validate data_len before allocating skb in     sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136).

  - thp: avoid atomic64_read in pmd_read_atomic for 32bit     PAE (bnc#762991).

  - be2net: non-member vlan pkts not received in promiscous     mode (bnc#732006 CVE-2011-3347).

  - fcaps: clear the same personality flags as suid when     fcaps are used (bnc#758260 CVE-2012-2123).

  - macvtap: zerocopy: validate vectors before building skb     (bnc#758243 CVE-2012-2119).

  - macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb     is built successfully (bnc#758243 CVE-2012-2119).

  - macvtap: zerocopy: put page when fail to get all     requested user pages (bnc#758243 CVE-2012-2119).

  - macvtap: zerocopy: fix offset calculation when building     skb (bnc#758243 CVE-2012-2119).

  - Avoid reading past buffer when calling GETACL     (bnc#762992).

  - Avoid beyond bounds copy while caching ACL (bnc#762992).

  - Fix length of buffer copied in __nfs4_get_acl_uncached     (bnc#762992).

  - hfsplus: Fix potential buffer overflows (bnc#760902     CVE-2009-4020).

  - usb/net: rndis: merge command codes. only net/hyperv     part

  - usb/net: rndis: remove ambiguous status codes. only     net/hyperv part

  - usb/net: rndis: break out <linux/rndis.h> defines. only     net/hyperv part

  - net/hyperv: Add flow control based on hi/low watermark.

  - hv: fix return type of hv_post_message().

  - Drivers: hv: util: Properly handle version negotiations.

  - Drivers: hv: Get rid of an unnecessary check in     vmbus_prep_negotiate_resp().

  - HID: hyperv: Set the hid drvdata correctly.

  - HID: hid-hyperv: Do not use hid_parse_report() directly.

  - [SCSI] storvsc: Properly handle errors from the host     (bnc#747404).

  - Delete patches.suse/suse-hv-storvsc-ignore-ata_16.patch.

  - patches.suse/suse-hv-pata_piix-ignore-disks.patch     replace our version of this patch with upstream variant:
    ata_piix: defer disks to the Hyper-V drivers by default     libata: add a host flag to ignore detected ATA devices.

  - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs     pmd_populate SMP race condition (bnc#762991     CVE-2012-2373).

  - xfrm: take net hdr len into account for esp payload size     calculation (bnc#759545).

  - net/hyperv: Adding cancellation to ensure rndis filter     is closed.

  - xfs: Fix oops on IO error during     xlog_recover_process_iunlinks() (bnc#761681).

  - thp: reduce khugepaged freezing latency (bnc#760860).

  - igb: fix rtnl race in PM resume path (bnc#748859).

  - ixgbe: add missing rtnl_lock in PM resume path     (bnc#748859).

  - cdc_ether: Ignore bogus union descriptor for RNDIS     devices (bnc#735362). Taking the fix from net-next

  - Fix kABI breakage due to including proc_fs.h in     kernel/fork.c modversion changed because of changes in     struct proc_dir_entry (became defined) Refresh     patches.fixes/procfs-namespace-pid_ns-fix-leakage-on-for     k-failure.

  - Disabled MMC_TEST (bnc#760077).

  - Input: ALPS - add semi-MT support for v3 protocol     (bnc#716996).

  - Input: ALPS - add support for protocol versions 3 and 4     (bnc#716996).

  - Input: ALPS - remove assumptions about packet size     (bnc#716996).

  - Input: ALPS - add protocol version field in     alps_model_info (bnc#716996).

  - Input: ALPS - move protocol information to Documentation     (bnc#716996).

  - sysctl/defaults: kernel.hung_task_timeout ->     kernel.hung_task_timeout_secs (bnc#700174)

  - btrfs: partial revert of truncation improvements     (FATE#306586 bnc#748463 bnc#760279).

  - libata: skip old error history when counting probe     trials.

  - procfs, namespace, pid_ns: fix leakage upon fork()     failure (bnc#757783).

  - cdc-wdm: fix race leading leading to memory corruption     (bnc#759554). This patch fixes a race whereby a pointer     to a buffer would be overwritten while the buffer was in     use leading to a double free and a memory leak. This     causes crashes. This bug was introduced in 2.6.34

  - netfront: delay gARP until backend switches to     Connected.

  - xenbus: Reject replies with payload >     XENSTORE_PAYLOAD_MAX.

  - xenbus: check availability of XS_RESET_WATCHES command.

  - xenbus_dev: add missing error checks to watch handling.

  - drivers/xen/: use strlcpy() instead of strncpy().

  - blkfront: properly fail packet requests (bnc#745929).

  - Linux 3.1.10.

  - Update Xen config files.

  - Refresh other Xen patches.

  - tlan: add cast needed for proper 64 bit operation     (bnc#756840).

  - dl2k: Tighten ioctl permissions (bnc#758813).

  - mqueue: fix a vfsmount longterm reference leak     (bnc#757783).

  - cciss: Add IRQF_SHARED back in for the non-MSI(X)     interrupt handler (bnc#757789).

  - procfs: fix a vfsmount longterm reference leak     (bnc#757783).

  - uwb: fix error handling (bnc#731720). This fixes a     kernel error on unplugging an uwb dongle

  - uwb: fix use of del_timer_sync() in interrupt     (bnc#731720). This fixes a kernel warning on plugging in     an uwb dongle

  - acer-wmi: Detect communication hot key number.

  - acer-wmi: replaced the hard coded bitmap by the     communication devices bitmap from SMBIOS.

  - acer-wmi: add ACER_WMID_v2 interface flag to represent     new notebooks.

  - acer-wmi: No wifi rfkill on Sony machines.

  - acer-wmi: No wifi rfkill on Lenovo machines.

  - [media] cx22702: Fix signal strength.

  - fs: cachefiles: Add support for large files in     filesystem caching (bnc#747038).

  - Drivers: scsi: storvsc: Account for in-transit packets     in the RESET path.

  - CPU hotplug, cpusets, suspend: Don't touch cpusets     during suspend/resume (bnc#752460).

  - net: fix a potential rcu_read_lock() imbalance in     rt6_fill_node() (bnc#754186, bnc#736268).

  - This commit fixes suspend to ram breakage reported in     bnc#764864. Remove dud patch. The problem it addressed     is being respun upstream, is in tip, but not yet     mainlined. See bnc#752460 for details regarding the     problem the now removed patch fixed while breaking S2R.
    Delete     patches.fixes/cpusets-Dont-touch-cpusets-during-suspend-     or-resume.patch.

  - Remove dud patch. The problem it addressed is being     respun upstream, is in tip, but not yet mainlined.
    Delete     patches.fixes/cpusets-Dont-touch-cpusets-during-suspend-     or-resume.patch.

  - fix VM_FOREIGN users after c/s 878:eba6fe6d8d53     (bnc#760974).

  - gntdev: fix multi-page slot allocation (bnc#760974).

  - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs     pmd_populateSMP race condition (bnc#762991     CVE-2012-2373).

  - thp: avoid atomic64_read in pmd_read_atomic for 32bit     PAE (bnc#762991).

  - sym53c8xx: Fix NULL pointer dereference in slave_destroy     (bnc#767786).

  - sky2: fix regression on Yukon Optima (bnc#731537).

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-2037 advisory.

  - The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the     /proc directory tree of a process after this process performs an exec of a setuid program, which allows     local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write     system calls. (CVE-2011-1020)

  - Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38     and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have     unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media.
    (CVE-2011-1577)

  - The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel before 2.6.36 does not properly     determine the associations between users and sessions, which allows local users to bypass CIFS share     authentication by leveraging a mount of a share by a different user. (CVE-2011-1585)

  - fs/proc/base.c in the Linux kernel before 2.6.39.4 does not properly restrict access to /proc/#####/io     files, which allows local users to obtain sensitive I/O statistics by polling a file, as demonstrated by     discovering the length of another user's password. (CVE-2011-2495)

  - The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent     tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allows local     users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other     impact via a crafted call. (CVE-2011-2525)

  - fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases     of extent splitting, which allows local users to cause a denial of service (system crash) via vectors     involving ext4 umount and mount operations. (CVE-2011-3638)

  - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allows local users to     cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined     key and updating a negative key into a fully instantiated key. (CVE-2011-4110)

  - Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel 2.6 allows     local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with     a crafted len field. (CVE-2011-4330)

  - The ptrace_setxregs function in arch/xtensa/kernel/ptrace.c in the Linux kernel before 3.1 does not     validate user-space pointers, which allows local users to obtain sensitive information from kernel memory     locations via a crafted PTRACE_SETXTREGS request. (CVE-2011-2707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2011:1386 :

Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important)

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A local attacker could use mount.ecryptfs_private to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed. (CVE-2011-1833, Moderate)

* A flaw in the taskstats subsystem could allow a local, unprivileged user to cause excessive CPU time and memory use. (CVE-2011-2484, Moderate)

* Mapping expansion handling could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2496, Moderate)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* RHSA-2011:1065 introduced a regression in the Ethernet bridge implementation. If a system had an interface in a bridge, and an attacker on the local network could send packets to that interface, they could cause a denial of service on that system. Xen hypervisor and KVM (Kernel-based Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942, Moderate)

* A flaw in the Xen hypervisor IOMMU error handling implementation could allow a privileged guest user, within a guest operating system that has direct control of a PCI device, to cause performance degradation on the host and possibly cause it to hang. (CVE-2011-3131, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the kernel's clock implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-3209, Moderate)

* Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.
(CVE-2011-3347, Moderate)

* A flaw in the auerswald USB driver could allow a local, unprivileged user to cause a denial of service or escalate their privileges by inserting a specially crafted USB device. (CVE-2009-4067, Low)

* A flaw in the Trusted Platform Module (TPM) implementation could allow a local, unprivileged user to leak information to user space.
(CVE-2011-1160, Low)

* A local, unprivileged user could possibly mount a CIFS share that requires authentication without knowing the correct password if the mount was already mounted by another local user. (CVE-2011-1585, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; the Ubuntu Security Team for reporting CVE-2011-1833; Vasiliy Kulikov of Openwall for reporting CVE-2011-2484; Robert Swiecki for reporting CVE-2011-2496; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yasuaki Ishimatsu for reporting CVE-2011-3209; Somnath Kotur for reporting CVE-2011-3347; Rafael Dominguez Vega for reporting CVE-2009-4067; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833.

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 6.1 Extended Update Support.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* The proc file system could allow a local, unprivileged user to obtain sensitive information or possibly cause integrity issues.
(CVE-2011-1020, Moderate)

* Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.
(CVE-2011-3347, Moderate)

* A missing validation flaw was found in the Linux kernel's m_stop() implementation. A local, unprivileged user could use this flaw to trigger a denial of service. (CVE-2011-3637, Moderate)

* A flaw was found in the Linux kernel in the way splitting two extents in ext4_ext_convert_to_initialized() worked. A local, unprivileged user with the ability to mount and unmount ext4 file systems could use this flaw to cause a denial of service.
(CVE-2011-3638, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service. (CVE-2011-4110, Moderate)

Red Hat would like to thank Kees Cook for reporting CVE-2011-1020;
Somnath Kotur for reporting CVE-2011-3347; and Zheng Liu for reporting CVE-2011-3638.

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - The proc file system could allow a local, unprivileged     user to obtain sensitive information or possibly cause     integrity issues. (CVE-2011-1020, Moderate)

  - Non-member VLAN (virtual LAN) packet handling for     interfaces in promiscuous mode and also using the be2net     driver could allow an attacker on the local network to     cause a denial of service. (CVE-2011-3347, Moderate)

  - A flaw was found in the Linux kernel in the way     splitting two extents in     ext4_ext_convert_to_initialized() worked. A local,     unprivileged user with access to mount and unmount ext4     file systems could use this flaw to cause a denial of     service. (CVE-2011-3638, Moderate)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's key management facility handled     user-defined key types. A local, unprivileged user could     use the keyctl utility to cause a denial of service.
    (CVE-2011-4110, Moderate)

This update also fixes several hundred bugs and adds enhancements.
Refer to the upstream Release Notes for information on the most significant of these changes.

All Scientific Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted. The system must be rebooted for this update to take effect.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

  - The maximum file offset handling for ext4 file systems     could allow a local, unprivileged user to cause a denial     of service. (CVE-2011-2695, Important)

  - IPv6 fragment identification value generation could     allow a remote attacker to disrupt a target system's     networking, preventing legitimate users from accessing     its services. (CVE-2011-2699, Important)

  - A malicious CIFS (Common Internet File System) server     could send a specially crafted response to a directory     read request that would result in a denial of service or     privilege escalation on a system that has a CIFS share     mounted. (CVE-2011-3191, Important)

  - A local attacker could use mount.ecryptfs_private to     mount (and then access) a directory they would otherwise     not have access to. Note: To correct this issue, a     ecryptfs-utils update must also be installed.
    (CVE-2011-1833, Moderate)

  - A flaw in the taskstats subsystem could allow a local,     unprivileged user to cause excessive CPU time and memory     use. (CVE-2011-2484, Moderate)

  - Mapping expansion handling could allow a local,     unprivileged user to cause a denial of service.
    (CVE-2011-2496, Moderate)

  - GRO (Generic Receive Offload) fields could be left in an     inconsistent state. An attacker on the local network     could use this flaw to cause a denial of service. GRO is     enabled by default in all network drivers that support     it. (CVE-2011-2723, Moderate)

  - A previous update introduced a regression in the     Ethernet bridge implementation. If a system had an     interface in a bridge, and an attacker on the local     network could send packets to that interface, they could     cause a denial of service on that system. Xen hypervisor     and KVM (Kernel-based Virtual Machine) hosts often     deploy bridge interfaces. (CVE-2011-2942, Moderate)

  - A flaw in the Xen hypervisor IOMMU error handling     implementation could allow a privileged guest user,     within a guest operating system that has direct control     of a PCI device, to cause performance degradation on the     host and possibly cause it to hang. (CVE-2011-3131,     Moderate)

  - IPv4 and IPv6 protocol sequence number and fragment ID     generation could allow a man-in-the-middle attacker to     inject packets and possibly hijack connections. Protocol     sequence number and fragment IDs are now more random.
    (CVE-2011-3188, Moderate)

  - A flaw in the kernel's clock implementation could allow     a local, unprivileged user to cause a denial of service.
    (CVE-2011-3209, Moderate)

  - Non-member VLAN (virtual LAN) packet handling for     interfaces in promiscuous mode and also using the be2net     driver could allow an attacker on the local network to     cause a denial of service. (CVE-2011-3347, Moderate)

  - A flaw in the auerswald USB driver could allow a local,     unprivileged user to cause a denial of service or     escalate their privileges by inserting a specially     crafted USB device. (CVE-2009-4067, Low)

  - A flaw in the Trusted Platform Module (TPM)     implementation could allow a local, unprivileged user to     leak information to user space. (CVE-2011-1160, Low)

  - A local, unprivileged user could possibly mount a CIFS     share that requires authentication without knowing the     correct password if the mount was already mounted by     another local user. (CVE-2011-1585, Low)

Somnath Kotur discovered an error in the Linux kernel's VLAN (virtual lan) and be2net drivers. An attacker on the local network could exploit this flaw to cause a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Somnath Kotur discovered an error in the Linux kernel's VLAN (virtual lan) and be2net drivers. An attacker on the local network could exploit this flaw to cause a denial of service. (CVE-2011-3347).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Paolo Bonzini discovered a flaw in Linux's handling of the SG_IO ioctl command. A local user, or user in a VM could exploit this flaw to bypass restrictions and gain read/write access to all data on the affected block device. (CVE-2011-4127)

A flaw was found in the Linux kernel's ext4 file system when mounting a corrupt filesystem. A user-assisted remote attacker could exploit this flaw to cause a denial of service. (CVE-2012-2100).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Somnath Kotur discovered an error in the Linux kernel's VLAN (virtual lan) and be2net drivers. An attacker on the local network could exploit this flaw to cause a denial of service.

Updated kernel packages that fix multiple security issues, address several hundred bugs and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the second regular update.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* The proc file system could allow a local, unprivileged user to obtain sensitive information or possibly cause integrity issues.
(CVE-2011-1020, Moderate)

* Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.
(CVE-2011-3347, Moderate)

* A flaw was found in the Linux kernel in the way splitting two extents in ext4_ext_convert_to_initialized() worked. A local, unprivileged user with access to mount and unmount ext4 file systems could use this flaw to cause a denial of service. (CVE-2011-3638, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service. (CVE-2011-4110, Moderate)

Red Hat would like to thank Kees Cook for reporting CVE-2011-1020;
Somnath Kotur for reporting CVE-2011-3347; and Zheng Liu for reporting CVE-2011-3638.

This update also fixes several hundred bugs and adds enhancements.
Refer to the Red Hat Enterprise Linux 6.2 Release Notes for information on the most significant of these changes, and the Technical Notes for further information, both linked to in the References.

All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.2 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

Rebase to upstream 3.1.1 kernel Fix boot regression on 64-bit EFI machines Update to the Linux 3.0.8 (2.6.40.8) stable release. Fix assorted security bugs. Bugfix update Update to the latest 3.0.7 stable kernel release which includes a variety of fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important)

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A local attacker could use mount.ecryptfs_private to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed. (CVE-2011-1833, Moderate)

* A flaw in the taskstats subsystem could allow a local, unprivileged user to cause excessive CPU time and memory use. (CVE-2011-2484, Moderate)

* Mapping expansion handling could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2496, Moderate)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* RHSA-2011:1065 introduced a regression in the Ethernet bridge implementation. If a system had an interface in a bridge, and an attacker on the local network could send packets to that interface, they could cause a denial of service on that system. Xen hypervisor and KVM (Kernel-based Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942, Moderate)

* A flaw in the Xen hypervisor IOMMU error handling implementation could allow a privileged guest user, within a guest operating system that has direct control of a PCI device, to cause performance degradation on the host and possibly cause it to hang. (CVE-2011-3131, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the kernel's clock implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-3209, Moderate)

* Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.
(CVE-2011-3347, Moderate)

* A flaw in the auerswald USB driver could allow a local, unprivileged user to cause a denial of service or escalate their privileges by inserting a specially crafted USB device. (CVE-2009-4067, Low)

* A flaw in the Trusted Platform Module (TPM) implementation could allow a local, unprivileged user to leak information to user space.
(CVE-2011-1160, Low)

* A local, unprivileged user could possibly mount a CIFS share that requires authentication without knowing the correct password if the mount was already mounted by another local user. (CVE-2011-1585, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; the Ubuntu Security Team for reporting CVE-2011-1833; Vasiliy Kulikov of Openwall for reporting CVE-2011-2484; Robert Swiecki for reporting CVE-2011-2496; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yasuaki Ishimatsu for reporting CVE-2011-3209; Somnath Kotur for reporting CVE-2011-3347; Rafael Dominguez Vega for reporting CVE-2009-4067; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2011-1386.

ID	Name	Product	Family	Severity
79280	RHEL 5 : rhev-hypervisor (RHSA-2011:1408)	Nessus	Red Hat Local Security Checks	medium
74661	openSUSE Security Update : Kernel (openSUSE-SU-2012:0812-1)	Nessus	SuSE Local Security Checks	high
68425	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2037)	Nessus	Oracle Linux Local Security Checks	high
68375	Oracle Linux 5 : kernel (ELSA-2011-1386)	Nessus	Oracle Linux Local Security Checks	critical
64027	RHEL 6 : kernel (RHSA-2012:0116)	Nessus	Red Hat Local Security Checks	medium
61185	Scientific Linux Security Update : Scientific Linux 6 kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
61162	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
58533	Ubuntu 11.10 : linux vulnerability (USN-1412-1)	Nessus	Ubuntu Local Security Checks	medium
58497	Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1409-1)	Nessus	Ubuntu Local Security Checks	medium
58493	Ubuntu 11.10 : linux vulnerabilities (USN-1405-1)	Nessus	Ubuntu Local Security Checks	critical
58492	USN-1404-1 : linux-ti-omap4 vulnerability	Nessus	Ubuntu Local Security Checks	high
57012	RHEL 6 : kernel (RHSA-2011:1530)	Nessus	Red Hat Local Security Checks	medium
56865	Fedora 15 : kernel-2.6.41.1-1.fc15 (2011-15856)	Nessus	Fedora Local Security Checks	medium
56577	RHEL 5 : kernel (RHSA-2011:1386)	Nessus	Red Hat Local Security Checks	critical
56569	CentOS 5 : kernel (CESA-2011:1386)	Nessus	CentOS Local Security Checks	critical
801510	CentOS RHSA-2011-1386 Security Check	Log Correlation Engine	Generic	high

CVE-2011-3347

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

high

high

critical

medium

medium

critical

medium

medium

critical

high

medium

medium

critical

critical

high