RHSA-2005:514 - Security Advisory

Topic

Updated kernel packages are now available as part of ongoing support
and maintenance of Red Hat Enterprise Linux version 4. This is the
second regular update.

This update has been rated as having important security impact by the
Red Hat Security Response Team.

Description

The Linux kernel handles the basic functions of the operating system.

This is the second regular kernel update to Red Hat Enterprise Linux 4.

New features introduced in this update include:

• Audit support
• systemtap - kprobes, relayfs
• Keyring support
• iSCSI Initiator - iscsi_sfnet 4:0.1.11-1
• Device mapper multipath support
• Intel dual core support
• esb2 chipset support
• Increased exec-shield coverage
• Dirty page tracking for HA systems
• Diskdump -- allow partial diskdumps and directing to swap

There were several bug fixes in various parts of the kernel. The ongoing
effort to resolve these problems has resulted in a marked improvement
in the reliability and scalability of Red Hat Enterprise Linux 4.

The following security bugs were fixed in this update, detailed below with
corresponding CAN names available from the Common Vulnerabilities and
Exposures project (cve.mitre.org):

• flaws in ptrace() syscall handling on 64-bit systems that allowed a local

user to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1761,
CAN-2005-1762, CAN-2005-1763)

• flaws in IPSEC network handling that allowed a local user to cause a

denial of service or potentially gain privileges (CAN-2005-2456, CAN-2005-2555)

• a flaw in sendmsg() syscall handling on 64-bit systems that allowed a

local user to cause a denial of service or potentially gain privileges
(CAN-2005-2490)

• a flaw in sendmsg() syscall handling that allowed a local user to cause a

denial of service by altering hardware state (CAN-2005-2492)

• a flaw that prevented the topdown allocator from allocating mmap areas

all the way down to address zero (CAN-2005-1265)

• flaws dealing with keyrings that could cause a local denial of service

(CAN-2005-2098, CAN-2005-2099)

• a flaw in the 4GB split patch that could allow a local denial of service

(CAN-2005-2100)

• a xattr sharing bug in the ext2 and ext3 file systems that could cause

default ACLs to disappear (CAN-2005-2801)

• a flaw in the ipt_recent module on 64-bit architectures which could allow

a remote denial of service (CAN-2005-2872)

The following device drivers have been upgraded to new versions:

qla2100 --------- 8.00.00b21-k to 8.01.00b5-rh2
qla2200 --------- 8.00.00b21-k to 8.01.00b5-rh2
qla2300 --------- 8.00.00b21-k to 8.01.00b5-rh2
qla2322 --------- 8.00.00b21-k to 8.01.00b5-rh2
qla2xxx --------- 8.00.00b21-k to 8.01.00b5-rh2
qla6312 --------- 8.00.00b21-k to 8.01.00b5-rh2
megaraid_mbox --- 2.20.4.5 to 2.20.4.6
megaraid_mm ----- 2.20.2.5 to 2.20.2.6
lpfc ------------ 0:8.0.16.6_x2 to 0:8.0.16.17
cciss ----------- 2.6.4 to 2.6.6
ipw2100 --------- 1.0.3 to 1.1.0
tg3 ------------- 3.22-rh to 3.27-rh
e100 ------------ 3.3.6-k2-NAPI to 3.4.8-k2-NAPI
e1000 ----------- 5.6.10.1-k2-NAPI to 6.0.54-k2-NAPI
3c59x ----------- LK1.1.19
mptbase --------- 3.01.16 to 3.02.18
ixgb ------------ 1.0.66 to 1.0.95-k2-NAPI
libata ---------- 1.10 to 1.11
sata_via -------- 1.0 to 1.1
sata_ahci ------- 1.00 to 1.01
sata_qstor ------ 0.04
sata_sil -------- 0.8 to 0.9
sata_svw -------- 1.05 to 1.06
s390: crypto ---- 1.31 to 1.57
s390: zfcp ------
s390: CTC-MPC ---
s390: dasd -------
s390: cio -------
s390: qeth ------

All Red Hat Enterprise Linux 4 users are advised to upgrade their
kernels to the packages associated with their machine architectures
and configurations as listed in this erratum.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 114578 - RHEL4 U1: File Delegation, at least read-only.
• BZ - 130914 - RHEL4: keyring support (OpenAFS enabler)
• BZ - 134790 - Inspiron 8500 practically hangs when configuring b44 NIC with 1.5G memory
• BZ - 135669 - tcsendbreak fails in compat mode
• BZ - 137343 - RH40-beta1, embedded IDE/PCI drivers not honoring Sub ID's/Class code
• BZ - 140002 - [PATCH] i2o_block timeout Adaptec 2400A raid card
• BZ - 141783 - domain validation fails on DVD-305 when CD in drive
• BZ - 142989 - Terminated threads' resource usage is hidden from procps
• BZ - 144668 - System doesn't reboot even if kernel.panic is > 0 on RHEL-4 Beta-2.
• BZ - 145575 - [RHEL4-U2][Diskdump] Partial dump
• BZ - 145648 - Socket option IP_FREEBIND has no effect on SCTP socket.
• BZ - 145659 - Socket option SO_BINDTODEVICE problems with SCTP listening socket.
• BZ - 145976 - Sub-second mtime changes without modifying file
• BZ - 146187 - [RHEL4RC1] chicony usb keyboard fails, with side effects
• BZ - 147233 - NFSv3 over Kerberos: gss_get_mic FAILED during xdm login attempt
• BZ - 147496 - Sense data errors are seen when trying to access a travan tape device
• BZ - 149478 - Bug / data corruption on error handling in Ext3 under I/O failure condition
• BZ - 149919 - highmem.c: fix bio error propagation
• BZ - 149979 - kernel panic when tar'ing data to IDE Tape device
• BZ - 150152 - nfsv4 callback authentication patch
• BZ - 151222 - smp_apic_timer_interrupt() executes on kernel thread stack
• BZ - 151315 - kernel BUG() at pageattr:107 with rmmod e1000
• BZ - 151323 - Kernel BUG at pageattr:107
• BZ - 151429 - Fusion MPT doesn't handle multiple PCI domains correctly
• BZ - 152162 - LVM snapshots over md raid1 cause corruption
• BZ - 152440 - ppc64 arches can crash when single setpping a debugger through syscall return code
• BZ - 152619 - openipmi drivers missing compat_ioctl's on x86_64 kernel
• BZ - 152982 - fail to mount nfs4 servers
• BZ - 154055 - RHEL4 U1 Oracle 10G 10.0.3 aio hang running tpc-c
• BZ - 154100 - assertion failrue in semaphore.h caused by perfmon
• BZ - 154347 - spin_lock already locked by xfrm4_output
• BZ - 154435 - kernel dm-emc: Fix spinlock reset
• BZ - 154442 - kernel dm-multipath: multiple pg_inits can be issued in parallel
• BZ - 154451 - CAN-2005-1762 x86_64 sysret exception leads to DoS
• BZ - 154733 - oops when catting /proc/net/ip_conntrack_expect
• BZ - 155278 - Debugger killed by kernel when looking at the lowest addressed vmalloc page
• BZ - 155354 - 20050313 SCSI tape security
• BZ - 155706 - CAN-2005-2801 xattr sharing bug
• BZ - 155932 - [RHEL4-U2][Diskdump] hangs when SCSI drive is busy
• BZ - 156010 - [RHEL4-U2] Diskdump - swap partition support
• BZ - 156705 - Serial console corrupt on boot
• BZ - 157239 - Systemtap patches to be ported to RHEL4 U2 kernel
• BZ - 157725 - sysctl -A returns an error
• BZ - 157900 - [not quite PATCH] tg3 driver crashes kernel with BCM5752 chip, newer driver is OK
• BZ - 158107 - Serial console turns into garbage after initialising 16550A
• BZ - 158293 - nfs server intermitently claims ENOENT on existing files or directories
• BZ - 158878 - CAN-2005-1265 Prevent NULL mmap in topdown model
• BZ - 158883 - Annoying i2o_config kernel module messages during raidutil run
• BZ - 158930 - 32-bit GETBLKSIZE ioctl overflows incorrectly on 64-bit hosts.
• BZ - 158974 - [Patch] modprobling a module signed with a key not known to the kernel can result in a panic.
• BZ - 159640 - proc and sysctl interface for lockd grace period do not work
• BZ - 159671 - CAN-2005-1761 local user can use ptrace to crash system
• BZ - 159739 - [Stratus RHEL4U2] csb5 functions are tagged with __init. This causes a crash in a hot-plug environment
• BZ - 159765 - RHEL4 Data corruption in spite of using O_SYNC
• BZ - 159918 - CAN-2005-0756 x86_64 crash (ptrace-check-segment)
• BZ - 159921 - CAN-2005-1763 x86_64 crash (x86_64-ptrace-overflow)
• BZ - 160028 - Kernel BUG at pageattr:107
• BZ - 160518 - audit: file system and user space filtering by auid
• BZ - 160522 - audit: teach OOM killer about auditd
• BZ - 160524 - audit: file system attribute change tracking
• BZ - 160526 - audit:PATH record mode flags are wrong sometimes
• BZ - 160528 - audit: file system watch on block device
• BZ - 160547 - when removing scsi hosts commands are not leaked
• BZ - 160548 - when removing scsi hosts commands are not leaked
• BZ - 160654 - audit: kernel audits auditd
• BZ - 160663 - cable link state ignored on ethernet card (b44).
• BZ - 160812 - fixes exec-shield to not randomize to between end-of-binary and start-of-brk
• BZ - 160882 - i2o RAID monitoring memory leak
• BZ - 161143 - Need export of generic_drop_inode for OCFS2 support
• BZ - 161156 - 'mt tell' fails - backported kernel bug likely
• BZ - 161314 - Bluetooth paring did not work anymore since update to 2.6.9-11.EL
• BZ - 161789 - GET_INDEX macro in aspm pci fixup code can overwrite end of the array
• BZ - 161995 - kernel panic when rm -rf directory structure on tmpfs filesystem
• BZ - 162108 - only the main thread is shown by top(1)
• BZ - 162257 - irq stacks not being used for hardirqs
• BZ - 162548 - interrupt handlers run on thread's kernel stack
• BZ - 162728 - JBD race during shutdown of a journal
• BZ - 163528 - /dev/tty won't open during blocking /dev/ttyS1 open
• BZ - 164094 - Placeholder for 2.6.x SATA update 20050724-1
• BZ - 164228 - Export sys_recvmesg for cluster snapshot
• BZ - 164338 - fix aio hang when reading beyond EOF
• BZ - 164449 - RHEL4 [NETFILTER]: Fix deadlock in ip6_queue.
• BZ - 164450 - [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
• BZ - 164628 - pci_scan_device can cause master abort
• BZ - 164630 - panic while running fsstress to a filesystem on a mirror
• BZ - 164979 - CAN-2005-2098 Error during attempt to join key management session can leave semaphore pinned
• BZ - 164991 - CAN-2005-2099 Destruction of failed keyring oopses
• BZ - 165127 - acpi_processor_get_performance_states fails on empty table entries (_PSS)
• BZ - 165163 - audit - syscall performance
• BZ - 165242 - mirrors possibly reporting invalid blocks to the filesystem
• BZ - 165384 - cpufreq driver hangs when using SMP Powernow
• BZ - 165547 - CAN-2005-2100 4G/4G split bounds checking
• BZ - 165560 - CAN-2005-2456 IPSEC overflow
• BZ - 165717 - ext on top of mirror attempts to access beyond end of device: dm-5: rw=0, want=16304032720, limit=20971520
• BZ - 166131 - CAN-2005-2555 IPSEC lacks restrictions
• BZ - 166248 - CAN-2005-2490 sendmsg compat stack overflow
• BZ - 166830 - CAN-2005-2492 sendmsg DoS
• BZ - 167126 - bad elf check in module-verify.c
• BZ - 167412 - [RFC] [RHEL4 U2 patch] dual-core detection gap for i386 build
• BZ - 167668 - LTC17960-Kernel panic at key_put+0x4/0x19 [REGRESSION]
• BZ - 167703 - CAN-2005-2872 ipt_recent crash
• BZ - 167711 - LTC18014-powernow-k8 debug messages are enabled

CVEs

• CVE-2005-0756
• CVE-2005-1761
• CVE-2005-1762
• CVE-2005-2456
• CVE-2005-2490
• CVE-2005-2555
• CVE-2005-3274
• CVE-2005-1265
• CVE-2005-1763
• CVE-2005-2098
• CVE-2005-2099
• CVE-2005-2100
• CVE-2005-2492
• CVE-2005-2801
• CVE-2005-2872
• CVE-2005-3105
• CVE-2005-3275
• CVE-2006-5871
• CVE-2005-4886

References

(none)