http://downloads.avaya.com/css/P8/documents/100156038

http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a9cf73ea7ff78f52662c8658d93c226effbbedde

[oss-security] 20111121 Re: CVE Request -- kernel: wrong headroom check in udp6_ufo_fragment()

50751

https://bugzilla.redhat.com/show_bug.cgi?id=682066

https://bugzilla.redhat.com/show_bug.cgi?id=755584

https://github.com/torvalds/linux/commit/a9cf73ea7ff78f52662c8658d93c226effbbedde

Updated kernel-rt packages that fix several security issues and two bugs are now available for Red Hat Enterprise MRG 2.0.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* The way fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on were handled could allow a remote attacker to cause a denial of service. (CVE-2011-4326, Important)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the FUSE (Filesystem in Userspace) implementation could allow a local user in the fuse group who has access to mount a FUSE file system to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw in the b43 driver. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw in the way CIFS shares with DFS referrals at their root were handled could allow an attacker on the local network, who is able to deploy a malicious CIFS server, to create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw in the m_stop() implementation could allow a local, unprivileged user to trigger a denial of service. (CVE-2011-3637, Moderate)

* Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate)

* A flaw in the key management facility could allow a local, unprivileged user to cause a denial of service via the keyctl utility.
(CVE-2011-4110, Moderate)

* A flaw in the Journaling Block Device (JBD) could allow a local attacker to crash the system by mounting a specially crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* I/O statistics from the taskstats subsystem could be read without any restrictions, which could allow a local, unprivileged user to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* Flaws in tpacket_rcv() and packet_recvmsg() could allow a local, unprivileged user to leak information to user-space. (CVE-2011-2898, Low)

Red Hat would like to thank Darren Lavender for reporting CVE-2011-3191; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Nick Bowler for reporting CVE-2011-4081; Peter Huewe for reporting CVE-2011-1162; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes the following bugs :

* Previously, a mismatch in the build-id of the kernel-rt and the one in the related debuginfo package caused failures in SystemTap and perf. (BZ#768413)

* IBM x3650m3 systems were not able to boot the MRG Realtime kernel because they require a pmcraid driver that was not available. The pmcraid driver is included in this update. (BZ#753992)

Users should upgrade to these updated packages, which correct these issues. The system must be rebooted for this update to take effect.

IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699 , Important)

A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191 , Important)

A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326 , Important)

The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188 , Moderate)

A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. (CVE-2011-3353 , Moderate)

A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359 , Moderate)

A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363 , Moderate)

A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593 , Moderate)

A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162 , Low)

A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577 , Low)

The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494 , Low)

It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.
(CVE-2011-2905 , Low)

Description of changes:

* CVE-2011-1161: Information leak in transmission logic of TPM driver.

A missing buffer size check in tpm_transmit could allow leaking of potentially sensitive kernel memory.

* CVE-2011-1162: Information leak in TPM driver.

A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command.  (CVE-2011-1162, Low)

* CVE-2011-2494: Information leak in task/process statistics.

The I/O statistics from the taskstats subsystem could be read without any restrictions.  A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process.  (CVE-2011-2494, Low)

* CVE-2011-3188: Weak TCP sequence number generation.

The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections.  Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* CVE-2011-1577: Missing boundary checks in GPT partition handling.


A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially crafted partition tables.  (CVE-2011-1577, Low)

* CVE-2011-3191: Memory corruption in CIFS.

A malicious CIFS server could overflow a signed integer value, causing a memcpy() to scribble over a large amount of memory.

* CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.

A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation.  A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service.  (CVE-2011-3353, Moderate)

* CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.

A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on.  A remote attacker could use this flaw to cause a denial of service.  (CVE-2011-4326, Important)

* CVE-2011-3593: Denial of service in VLAN with priority tagged frames.

A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set.  When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service.  (CVE-2011-3593, Moderate)

* CVE-2011-2699: Predictable IPv6 fragment identification numbers.

IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services.  (CVE-2011-2699, Important)

kernel-uek:

[2.6.32-200.23.1.el5uek]
- net: Remove atmclip.h to prevent break kabi check.
- KConfig: add CONFIG_UEK5=n to ol6/config-generic

  [2.6.32-200.22.1.el5uek]
- ipv6: make fragment identifications less predictable (Joe Jin) {CVE-2011-2699}
- vlan: fix panic when handling priority tagged frames (Joe Jin) {CVE-2011-3593}
- ipv6: udp: fix the wrong headroom check (Maxim Uvarov) {CVE-2011-4326}
- b43: allocate receive buffers big enough for max frame len + offset (Maxim Uvarov) {CVE-2011-3359}
- fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message (Maxim Uvarov) {CVE-2011-3353}
- cifs: fix possible memory corruption in CIFSFindNext (Maxim Uvarov) {CVE-2011-3191}
- crypto: md5 - Add export support (Maxim Uvarov) {CVE-2011-2699}
- fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops (Maxim Uvarov) {CVE-2011-1577}
- block: use struct parsed_partitions *state universally in partition check code (Maxim Uvarov)
- net: Compute protocol sequence numbers and fragment IDs using MD5. (Maxim Uvarov) {CVE-2011-3188}
- crypto: Move md5_transform to lib/md5.c (Maxim Uvarov) {CVE-2011-3188}
- perf tools: do not look at ./config for configuration (Maxim Uvarov) {CVE-2011-2905}
- Make TASKSTATS require root access (Maxim Uvarov) {CVE-2011-2494}
- TPM: Zero buffer after copying to userspace (Maxim Uvarov) {CVE-2011-1162}
- TPM: Call tpm_transmit with correct size (Maxim Uvarov){CVE-2011-1161}
- fnic: fix panic while booting in fnic(Xiaowei Hu)
- Revert 'PCI hotplug: acpiphp: set current_state to D0 in register_slot' (Guru Anbalagane)
- xen: drop xen_sched_clock in favour of using plain wallclock time (Jeremy Fitzhardinge)

[2.6.32-200.21.1.el5uek]
- PCI: Set device power state to PCI_D0 for device without native PM support    (Ajaykumar Hotchandani) [orabug 13033435]

From Red Hat Security Advisory 2011:1465 :

Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326, Important)

* The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577, Low)

* The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.
(CVE-2011-2905, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363;
Gideon Naim for reporting CVE-2011-3593; Peter Huewe for reporting CVE-2011-1162; Timo Warns for reporting CVE-2011-1577; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes various bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - IPv6 fragment identification value generation could     allow a remote attacker to disrupt a target system's     networking, preventing legitimate users from accessing     its services. (CVE-2011-2699, Important)

  - A signedness issue was found in the Linux kernel's CIFS     (Common Internet File System) implementation. A     malicious CIFS server could send a specially crafted     response to a directory read request that would result     in a denial of service or privilege escalation on a     system that has a CIFS share mounted. (CVE-2011-3191,     Important)

  - A flaw was found in the way the Linux kernel handled     fragmented IPv6 UDP datagrams over the bridge with UDP     Fragmentation Offload (UFO) functionality on. A remote     attacker could use this flaw to cause a denial of     service. (CVE-2011-4326, Important)

  - The way IPv4 and IPv6 protocol sequence numbers and     fragment IDs were generated could allow a     man-in-the-middle attacker to inject packets and     possibly hijack connections. Protocol sequence numbers     and fragment IDs are now more random. (CVE-2011-3188,     Moderate)

  - A buffer overflow flaw was found in the Linux kernel's     FUSE (Filesystem in Userspace) implementation. A local     user in the fuse group who has access to mount a FUSE     file system could use this flaw to cause a denial of     service. (CVE-2011-3353, Moderate)

  - A flaw was found in the b43 driver in the Linux kernel.
    If a system had an active wireless interface that uses     the b43 driver, an attacker able to send a specially     crafted frame to that interface could cause a denial of     service. (CVE-2011-3359, Moderate)

  - A flaw was found in the way CIFS shares with DFS     referrals at their root were handled. An attacker on the     local network who is able to deploy a malicious CIFS     server could create a CIFS network share that, when     mounted, would cause the client system to crash.
    (CVE-2011-3363, Moderate)

  - A flaw was found in the way the Linux kernel handled     VLAN 0 frames with the priority tag set. When using     certain network drivers, an attacker on the local     network could use this flaw to cause a denial of     service. (CVE-2011-3593, Moderate)

  - A flaw in the way memory containing security-related     data was handled in tpm_read() could allow a local,     unprivileged user to read the results of a previously     run TPM command. (CVE-2011-1162, Low)

  - A heap overflow flaw was found in the Linux kernel's EFI     GUID Partition Table (GPT) implementation. A local     attacker could use this flaw to cause a denial of     service by mounting a disk that contains specially     crafted partition tables. (CVE-2011-1577, Low)

  - The I/O statistics from the taskstats subsystem could be     read without any restrictions. A local, unprivileged     user could use this flaw to gather confidential     information, such as the length of a password used in a     process. (CVE-2011-2494, Low)

  - It was found that the perf tool, a part of the Linux     kernel's Performance Events implementation, could load     its configuration file from the current working     directory. If a local user with access to the perf tool     were tricked into running perf in a directory that     contains a specially crafted configuration file, it     could cause perf to overwrite arbitrary files and     directories accessible to that user. (CVE-2011-2905,     Low)

This update also fixes various bugs.

Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162)

A bug was discovered in the XFS filesystem's handling of pathnames. A local attacker could exploit this to crash the system, leading to a denial of service, or gain root privileges. (CVE-2011-4077)

Nick Bowler discovered the kernel GHASH message digest algorithm incorrectly handled error conditions. A local attacker could exploit this to cause a kernel oops. (CVE-2011-4081)

A flaw was found in the Journaling Block Device (JBD). A local attacker able to mount ext3 or ext4 file systems could exploit this to crash the system, leading to a denial of service. (CVE-2011-4132)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Clement Lecigne discovered a bug in the HFS file system bounds checking. When a malformed HFS file system is mounted a local user could crash the system or gain root privileges. (CVE-2011-4330).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A bug was discovered in the XFS filesystem's handling of pathnames. A local attacker could exploit this to crash the system, leading to a denial of service, or gain root privileges. (CVE-2011-4077)

Nick Bowler discovered the kernel GHASH message digest algorithm incorrectly handled error conditions. A local attacker could exploit this to cause a kernel oops. (CVE-2011-4081)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-4087)

A flaw was found in the Journaling Block Device (JBD). A local attacker able to mount ext3 or ext4 file systems could exploit this to crash the system, leading to a denial of service. (CVE-2011-4132)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Clement Lecigne discovered a bug in the HFS file system bounds checking. When a malformed HFS file system is mounted a local user could crash the system or gain root privileges. (CVE-2011-4330)

Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162)

A bug was discovered in the XFS filesystem's handling of pathnames. A local attacker could exploit this to crash the system, leading to a denial of service, or gain root privileges. (CVE-2011-4077)

Nick Bowler discovered the kernel GHASH message digest algorithm incorrectly handled error conditions. A local attacker could exploit this to cause a kernel oops. (CVE-2011-4081)

A flaw was found in the Journaling Block Device (JBD). A local attacker able to mount ext3 or ext4 file systems could exploit this to crash the system, leading to a denial of service. (CVE-2011-4132)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Clement Lecigne discovered a bug in the HFS file system bounds checking. When a malformed HFS file system is mounted a local user could crash the system or gain root privileges. (CVE-2011-4330).

A bug was discovered in the XFS filesystem's handling of pathnames. A local attacker could exploit this to crash the system, leading to a denial of service, or gain root privileges. (CVE-2011-4077)

Nick Bowler discovered the kernel GHASH message digest algorithm incorrectly handled error conditions. A local attacker could exploit this to cause a kernel oops. (CVE-2011-4081)

A flaw was found in the Journaling Block Device (JBD). A local attacker able to mount ext3 or ext4 file systems could exploit this to crash the system, leading to a denial of service. (CVE-2011-4132)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Clement Lecigne discovered a bug in the HFS file system bounds checking. When a malformed HFS file system is mounted a local user could crash the system or gain root privileges. (CVE-2011-4330)

The SUSE Linux Enterprise 11 Service Pack 1 kernel has been updated to version 2.6.32.49 and fixes various bugs and security issues.

  - The TCP/IP initial sequence number generation     effectively only used 24 bits of 32 to generate     randomness, making a brute-force man-in-the-middle     attack on TCP/IP connections feasible. The generator was     changed to use full 32bit randomness. (CVE-2011-3188)

  - Fernando Gont discovered that the IPv6 stack used     predictable fragment identification numbers. A remote     attacker could exploit this to exhaust network     resources, leading to a denial of service.
    (CVE-2011-2699)

  - A NULL ptr dereference on mounting corrupt hfs     filesystems was fixed which could be used by local     attackers to crash the kernel. (CVE-2011-2203)

  - Added a kernel option to ensure ecryptfs is mounting     only on paths belonging to the current ui, which would     have allowed local attackers to potentially gain     privileges via symlink attacks. (CVE-2011-1833)

  - The Generic Receive Offload (GRO) implementation in the     Linux kernel allowed remote attackers to cause a denial     of service via crafted VLAN packets that are processed     by the napi_reuse_skb function, leading to (1) a memory     leak or (2) memory corruption, a different vulnerability     than CVE-2011-1478. (CVE-2011-1576)

  - A name overflow in the hfs filesystem was fixed, where     mounting a corrupted hfs filesystem could lead to a     stack overflow and code execution in the kernel. This     requires a local attacker to be able to mount hfs     filesystems. (CVE-2011-4330)

  - A bug was found in the way headroom check was performed     in udp6_ufo_fragment() function. A remote attacker could     use this flaw to crash the system. (CVE-2011-4326)

The following non-security bugs have been fixed :

  - ALSA: hda - Fix S3/S4 problem on machines with VREF-pin     mute-LED. (bnc#732535)

  - patches.xen/xen-pcpu-hotplug: Fix a double kfree().

  - ixgbe: fix bug with vlan strip in promsic mode     (bnc#687049, fate#311821).

  - ixgbe: fix panic when shutting down system with WoL     enabled.

  - fnic: Allow users to modify dev_loss_tmo setting.
    (bnc#719786)

  - x86, intel: Do not mark sched_clock() as stable.
    (bnc#725709)

  - ALSA: hda - Keep vref-LED during power-saving on IDT     codecs. (bnc#731981)

  - cifs: Assume passwords are encoded according to     iocharset. (bnc#731035)

  - scsi_dh: Check queuedata pointer before proceeding.
    (bnc#714744)

  - netback: use correct index for invalidation in     netbk_tx_check_mop().

  - ACPI video: introduce module parameter     video.use_bios_initial_backlight. (bnc#731229)

  - SUNRPC: prevent task_cleanup running on freed xprt.
    (bnc#709671)

  - add device entry for Broadcom Valentine combo card.
    (bnc#722429)

  - quota: Fix WARN_ON in lookup_one_len. (bnc#728626)

  - Update Xen patches to 2.6.32.48.

  - pv-on-hvm/kexec: add xs_reset_watches to shutdown     watches from old kernel. (bnc#694863)

  - x86: undo_limit_pages() must reset page count.

  - mm/vmstat.c: cache align vm_stat. (bnc#729721)

  - s390/ccwgroup: fix uevent vs dev attrs race     (bnc#659101,LTC#69028).

  - Warn on pagecache limit usage (FATE309111).

  - SCSI: st: fix race in st_scsi_execute_end. (bnc#720536)

  - ACPI: introduce 'acpi_rsdp=' parameter for kdump.
    (bnc#717263)

  - elousb: Limit the workaround warning to one per error,     control workaround activity. (bnc#719916)

  - SCSI: libiscsi: reset cmd timer if cmds are making     progress. (bnc#691440)

  - SCSI: fix crash in scsi_dispatch_cmd(). (bnc#724989)

  - NFS/sunrpc: do not use a credential with extra groups.
    (bnc#725878)

  - s390/qdio: EQBS retry after CCQ 96     (bnc#725453,LTC#76117).

  - fcoe: Reduce max_sectors to 1024. (bnc#695898)

  - apparmor: return -ENOENT when there is no profile for a     hat. (bnc#725502)

  - sched, cgroups: disallow attaching kthreadd.
    (bnc#721840)

  - nfs: Check validity of cl_rpcclient in     nfs_server_list_show. (bnc#717884)

  - x86, vt-d: enable x2apic opt out (disabling x2apic     through BIOS flag) (bnc#701183, fate#311989).

  - block: Free queue resources at blk_release_queue().
    (bnc#723815)

  - ALSA: hda - Add post_suspend patch ops. (bnc#724800)

  - ALSA: hda - Allow codec-specific set_power_state ops.
    (bnc#724800)

  - ALSA: hda - Add support for vref-out based mute LED     control on IDT codecs. (bnc#724800)

  - scsi_dh_rdac : Add definitions for different RDAC     operating modes. (bnc#724365)

  - scsi_dh_rdac : Detect the different RDAC operating     modes. (bnc#724365)

  - scsi_dh_rdac : decide whether to send mode select based     on operating mode. (bnc#724365)

  - scsi_dh_rdac: Use WWID from C8 page instead of Subsystem     id from C4 page to identify storage. (bnc#724365)

  - vlan: Match underlying dev carrier on vlan add.
    (bnc#722504)

  - scsi_lib: pause between error retries. (bnc#675127)

  - xfs: use KM_NOFS for allocations during attribute list     operations. (bnc#721830)

  - bootsplash: Do not crash when no fb is set. (bnc#723542)

  - cifs: do not allow cifs_iget to match inodes of the     wrong type. (bnc#711501)

  - cifs: fix noserverino handling when 1 extensions are     enabled. (bnc#711501)

  - cifs: reduce false positives with inode aliasing     serverino autodisable. (bnc#711501)

  - parport_pc: release IO region properly if unsupported     ITE887x card is found. (bnc#721464)

  - writeback: avoid unnecessary calculation of bdi dirty     thresholds. (bnc#721299)

  - 1: Fix bogus it_blocksize in VIO iommu code.
    (bnc#717690)

  - ext4: Fix max file size and logical block counting of     extent format file. (bnc#706374)

  - novfs: Unable to change password in the Novell Client     for Linux. (bnc#713229)

  - xfs: add more ilock tracing.

  - sched: move wakeup tracepoint above out_running.
    (bnc#712002)

  - config.conf: Build KMPs for the -trace flavor as well     (fate#312759, bnc#712404, bnc#712405, bnc#721337).

  - memsw: remove noswapaccount kernel parameter.
    (bnc#719450)

Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162)

Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494)

Qianfeng Zhang discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-2942)

Yasuaki Ishimatsu discovered a flaw in the kernel's clock implementation. A local unprivileged attacker could exploit this causing a denial of service. (CVE-2011-3209)

Zheng Liu discovered a flaw in how the ext4 filesystem splits extents.
A local unprivileged attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-3638)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-4087)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A bug was discovered in the XFS filesystem's handling of pathnames. A local attacker could exploit this to crash the system, leading to a denial of service, or gain root privileges. (CVE-2011-4077)

Nick Bowler discovered the kernel GHASH message digest algorithm incorrectly handled error conditions. A local attacker could exploit this to cause a kernel oops. (CVE-2011-4081)

A flaw was found in the Journaling Block Device (JBD). A local attacker able to mount ext3 or ext4 file systems could exploit this to crash the system, leading to a denial of service. (CVE-2011-4132)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Clement Lecigne discovered a bug in the HFS file system bounds checking. When a malformed HFS file system is mounted a local user could crash the system or gain root privileges. (CVE-2011-4330).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Vasily Averin discovered that the NFS Lock Manager (NLM) incorrectly handled unlock requests. A local attacker could exploit this to cause a denial of service. (CVE-2011-2491)

Robert Swiecki discovered that mapping extensions were incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2496)

It was discovered that the wireless stack incorrectly verified SSID lengths. A local attacker could exploit this to cause a denial of service or gain root privileges. (CVE-2011-2517)

Ben Pfaff discovered that Classless Queuing Disciplines (qdiscs) were being incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2525).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

and CVE-2011-4110 Fix CVE-2011-4326 and CVE-2011-4132

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326, Important)

* The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577, Low)

* The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.
(CVE-2011-2905, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363;
Gideon Naim for reporting CVE-2011-3593; Peter Huewe for reporting CVE-2011-1162; Timo Warns for reporting CVE-2011-1577; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes various bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)

Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)

Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)

Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)

Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)

Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)

It was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479)

Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493)

It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573)

Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service.
(CVE-2011-1576)

Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)

Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581)

It was discovered that CIFS incorrectly handled authentication. When a user had a CIFS share mounted that required authentication, a local user could mount the same share without knowing the correct password.
(CVE-2011-1585)

It was discovered that the GRE protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ip_gre module was loading, and crash the system, leading to a denial of service. (CVE-2011-1767)

It was discovered that the IP/IP protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ipip module was loading, and crash the system, leading to a denial of service. (CVE-2011-1768)

Ben Greear discovered that CIFS did not correctly handle direct I/O. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-1771)

Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776)

Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)

Ben Hutchings reported a flaw in the kernel's handling of corrupt LDM partitions. A local user could exploit this to cause a denial of service or escalate privileges. (CVE-2011-2182)

Dan Rosenberg discovered that the IPv4 diagnostic routines did not correctly validate certain requests. A local attacker could exploit this to consume CPU resources, leading to a denial of service.
(CVE-2011-2213)

It was discovered that an mmap() call with the MAP_PRIVATE flag on '/dev/zero' was incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-2479)

Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could exploit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484)

It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy.
(CVE-2011-2492)

Sami Liedes discovered that ext4 did not correctly handle missing root inodes. A local attacker could trigger the mount of a specially crafted filesystem to cause the system to crash, leading to a denial of service. (CVE-2011-2493)

Robert Swiecki discovered that mapping extensions were incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2496)

Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497)

Ben Pfaff discovered that Classless Queuing Disciplines (qdiscs) were being incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2525)

It was discovered that GFS2 did not correctly check block sizes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2689)

It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695)

Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.
(CVE-2011-2699)

Mauro Carvalho Chehab discovered that the si4713 radio driver did not correctly check the length of memory copies. If this hardware was available, a local attacker could exploit this to crash the system or gain root privileges. (CVE-2011-2700)

Herbert Xu discovered that certain fields were incorrectly handled when Generic Receive Offload (CVE-2011-2723)

The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918)

Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service.
(CVE-2011-2928)

Qianfeng Zhang discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-2942)

Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188)

Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191)

Yasuaki Ishimatsu discovered a flaw in the kernel's clock implementation. A local unprivileged attacker could exploit this causing a denial of service. (CVE-2011-3209)

Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363)

A flaw was discovered in the Linux kernel's AppArmor security interface when invalid information was written to it. An unprivileged local user could use this to cause a denial of service on the system.
(CVE-2011-3619)

A flaw was found in the Linux kernel's /proc/*/*map* interface. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-3637)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-4087)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Ben Hutchings discovered several flaws in the Linux Rose (X.25 PLP) layer. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root. (CVE-2011-4914).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)

Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581)

Ben Hutchings reported a flaw in the kernel's handling of corrupt LDM partitions. A local user could exploit this to cause a denial of service or escalate privileges. (CVE-2011-2182)

Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could exploit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484)

Sami Liedes discovered that ext4 did not correctly handle missing root inodes. A local attacker could trigger the mount of a specially crafted filesystem to cause the system to crash, leading to a denial of service. (CVE-2011-2493)

A flaw was discovered in the Linux kernel's AppArmor security interface when invalid information was written to it. An unprivileged local user could use this to cause a denial of service on the system.
(CVE-2011-3619)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-4087)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
76635	RHEL 6 : MRG (RHSA-2012:0010)	Nessus	Red Hat Local Security Checks	critical
69585	Amazon Linux AMI : kernel (ALAS-2011-26)	Nessus	Amazon Linux Local Security Checks	high
68424	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2033)	Nessus	Oracle Linux Local Security Checks	critical
68393	Oracle Linux 6 : kernel (ELSA-2011-1465)	Nessus	Oracle Linux Local Security Checks	critical
61179	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
57342	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1311-1)	Nessus	Ubuntu Local Security Checks	high
57305	USN-1304-1 : linux-ti-omap4 vulnerabilities	Nessus	Ubuntu Local Security Checks	high
57304	Ubuntu 10.10 : linux-mvl-dove vulnerabilities (USN-1303-1)	Nessus	Ubuntu Local Security Checks	high
57303	USN-1302-1 : linux-ti-omap4 vulnerabilities	Nessus	Ubuntu Local Security Checks	high
57300	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1299-1)	Nessus	Ubuntu Local Security Checks	high
57297	SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 5493 / 5510 / 5511)	Nessus	SuSE Local Security Checks	high
57058	Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1294-1)	Nessus	Ubuntu Local Security Checks	high
57057	Ubuntu 10.10 : linux vulnerabilities (USN-1293-1)	Nessus	Ubuntu Local Security Checks	high
57056	Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1292-1)	Nessus	Ubuntu Local Security Checks	high
57005	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1286-1)	Nessus	Ubuntu Local Security Checks	high
56967	Fedora 14 : kernel-2.6.35.14-106.fc14 (2011-16346)	Nessus	Fedora Local Security Checks	high
56927	RHEL 6 : kernel (RHSA-2011:1465)	Nessus	Red Hat Local Security Checks	critical
56768	Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1256-1)	Nessus	Ubuntu Local Security Checks	critical
55923	Ubuntu 11.04 : linux vulnerabilities (USN-1193-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2011-4326

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins