Mandrake Linux Security Advisory : kernel (MDKSA-2003:074)
Critical Nessus Plugin ID 14057
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities were discovered and fixed in the Linux kernel.
- CVE-2003-0001: Multiple ethernet network card drivers do not pad frames with null bytes which allows remote attackers to obtain information from previous packets or kernel memory by using special malformed packets.
- CVE-2003-0244: The route cache implementation in the 2.4 kernel and the Netfilter IP conntrack module allows remote attackers to cause a Denial of Service (DoS) via CPU consumption due to packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.
- CVE-2003-0246: The ioperm implementation in 2.4.20 and earlier kernels does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.
- CVE-2003-0247: A vulnerability in the TTY layer of the 2.4 kernel allows attackers to cause a kernel oops resulting in a DoS.
- CVE-2003-0248: The mxcsr code in the 2.4 kernel allows attackers to modify CPU state registers via a malformed address.
- CVE-2003-0462: A file read race existed in the execve() system call.
Kernels for 9.1/x86 are also available (see MDKSA-2003:066).
MandrakeSoft encourages all users to upgrade to these new kernels.
For full instructions on how to properly upgrade your kernel, please review http://www.mandrakesecure.net/en/docs/magic.php.
SolutionUpdate the affected packages.