Mandrake Linux Security Advisory : kernel (MDKSA-2007:171)
High Nessus Plugin ID 25968
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionSome vulnerabilities were discovered and corrected in the Linux 2.6 kernel :
The Linux kernel did not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allowed local users to cause a denial of service (process crash) (CVE-2006-5755).
The compat_sys_mount function in fs/compat.c allowed local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode (CVE-2006-7203).
The nfnetlink_log function in netfilter allowed an attacker to cause a denial of service (crash) via unspecified vectors which would trigger a NULL pointer dereference (CVE-2007-1496).
The nf_conntrack function in netfilter did not set nfctinfo during reassembly of fragmented packets, which left the default value as IP_CT_ESTABLISHED and could allow remote attackers to bypass certain rulesets using IPv6 fragments (CVE-2007-1497).
The netlink functionality did not properly handle NETLINK_FIB_LOOKUP replies, which allowed a remote attacker to cause a denial of service (resource consumption) via unspecified vectors, probably related to infinite recursion (CVE-2007-1861).
A typo in the Linux kernel caused RTA_MAX to be used as an array size instead of RTN_MAX, which lead to an out of bounds access by certain functions (CVE-2007-2172).
The IPv6 protocol allowed remote attackers to cause a denial of service via crafted IPv6 type 0 route headers that create network amplification between two routers (CVE-2007-2242).
The random number feature did not properly seed pools when there was no entropy, or used an incorrect cast when extracting entropy, which could cause the random number generator to provide the same values after reboots on systems without an entropy source (CVE-2007-2453).
A memory leak in the PPPoE socket implementation allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized (CVE-2007-2525).
An integer underflow in the cpuset_tasks_read function, when the cpuset filesystem is mounted, allowed local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file (CVE-2007-2875).
The sctp_new function in netfilter allowed remote attackers to cause a denial of service by causing certain invalid states that triggered a NULL pointer dereference (CVE-2007-2876).
In addition to these security fixes, other fixes have been included such as :
- Fix crash on netfilter when nfnetlink_log is used on certain hooks on packets forwarded to or from a bridge
- Fixed busy sleep on IPVS which caused high load averages
- Fixed possible race condition on ext_link
- Fixed missing braces in condition block that led to wrong behaviour in NFS
- Fixed XFS lock deallocation that resulted in oops when unmounting
To update your kernel, please follow the directions located at :
SolutionUpdate the affected packages.