- Issued:
- 2005-09-28
- Updated:
- 2005-09-28
RHSA-2005:663 - Security Advisory
Synopsis
Updated kernel packages available for Red Hat Enterprise Linux 3 Update 6
Type/Severity
Security Advisory: Important
Topic
Updated kernel packages are now available as part of ongoing support and
maintenance of Red Hat Enterprise Linux version 3. This is the sixth
regular update.
This security advisory has been rated as having important security impact
by the Red Hat Security Response Team.
Description
The Linux kernel handles the basic functions of the operating system.
This is the sixth regular kernel update to Red Hat Enterprise Linux 3.
New features introduced by this update include:
- diskdump support on HP Smart Array devices
- netconsole/netdump support over bonded interfaces
- new chipset and device support via PCI table updates
- support for new "oom-kill" and "kscand_work_percent" sysctls
- support for dual core processors and ACPI Power Management timers on
AMD64 and Intel EM64T systems
There were many bug fixes in various parts of the kernel. The ongoing
effort to resolve these problems has resulted in a marked improvement in
the reliability and scalability of Red Hat Enterprise Linux 3.
There were numerous driver updates and security fixes (elaborated below).
Other key areas affected by fixes in this update include kswapd, inode
handling, the SATA subsystem, diskdump handling, ptrace() syscall support,
and signal handling.
The following device drivers have been upgraded to new versions:
3w-9xxx ---- 2.24.03.008RH
cciss ------ 2.4.58.RH1
e100 ------- 3.4.8-k2
e1000 ------ 6.0.54-k2
emulex ----- 7.3.2
fusion ----- 2.06.16i.01
iscsi ------ 3.6.2.1
ipmi ------- 35.4
lpfcdfc ---- 1.2.1
qlogic ----- 7.05.00-RH1
tg3 -------- 3.27RH
The following security bugs were fixed in this update:
- a flaw in syscall argument checking on Itanium systems that allowed
a local user to cause a denial of service (crash) (CAN-2005-0136)
- a flaw in stack expansion that allowed a local user of mlockall()
to cause a denial of service (memory exhaustion) (CAN-2005-0179)
- a small memory leak in network packet defragmenting that allowed a
remote user to cause a denial of service (memory exhaustion) on
systems using netfilter (CAN-2005-0210)
- flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems
that allowed a local user to cause a denial of service (crash)
(CAN-2005-0756, CAN-2005-1762, CAN-2005-2553)
- flaws in ISO-9660 file system handling that allowed the mounting of
an invalid image on a CD-ROM to cause a denial of service (crash)
or potentially execute arbitrary code (CAN-2005-0815)
- a flaw in ptrace() syscall handling on Itanium systems that allowed
a local user to cause a denial of service (crash) (CAN-2005-1761)
- a flaw in the alternate stack switching on AMD64 and Intel EM64T
systems that allowed a local user to cause a denial of service
(crash) (CAN-2005-1767)
- race conditions in the ia32-compat support for exec() syscalls on
AMD64, Intel EM64T, and Itanium systems that could allow a local
user to cause a denial of service (crash) (CAN-2005-1768)
- flaws in IPSEC network handling that allowed a local user to cause
a denial of service or potentially gain privileges (CAN-2005-2456,
CAN-2005-2555)
- a flaw in sendmsg() syscall handling on 64-bit systems that allowed
a local user to cause a denial of service or potentially gain
privileges (CAN-2005-2490)
- flaws in unsupported modules that allowed denial-of-service attacks
(crashes) or local privilege escalations on systems using the drm,
coda, or moxa modules (CAN-2004-1056, CAN-2005-0124, CAN-2005-0504)
- potential leaks of kernel data from jfs and ext2 file system handling
(CAN-2004-0181, CAN-2005-0400)
Note: The kernel-unsupported package contains various drivers and modules
that are unsupported and therefore might contain security problems that
have not been addressed.
All Red Hat Enterprise Linux 3 users are advised to upgrade their
kernels to the packages associated with their machine architectures
and configurations as listed in this erratum.
Solution
Before applying this update, make sure that all previously released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
Affected Products
- Red Hat Enterprise Linux Server 3 x86_64
- Red Hat Enterprise Linux Server 3 ia64
- Red Hat Enterprise Linux Server 3 i386
- Red Hat Enterprise Linux Workstation 3 x86_64
- Red Hat Enterprise Linux Workstation 3 ia64
- Red Hat Enterprise Linux Workstation 3 i386
- Red Hat Enterprise Linux Desktop 3 x86_64
- Red Hat Enterprise Linux Desktop 3 i386
- Red Hat Enterprise Linux for IBM z Systems 3 s390x
- Red Hat Enterprise Linux for IBM z Systems 3 s390
- Red Hat Enterprise Linux for Power, big endian 3 ppc
Fixes
- BZ - 79086 - Request for enhancement for callback function
- BZ - 98542 - iostat -x shows infeasible avgqu-sz results and max util
- BZ - 99502 - LTC3549 - ps wchan broken
- BZ - 116037 - Existence of race condition in Linux SD driver that leads to a deadlock
- BZ - 116317 - symbolic links have invalid permissions
- BZ - 116900 - RHEL3_U4 Data corruption in spite of using O_SYNC
- BZ - 119451 - System can hang while running multiple instances of fdisk
- BZ - 121041 - CAN-2004-0181 jfs infoleak
- BZ - 122982 - microcode_ctl errors with modprobe: Can't locate module char-major-10-184
- BZ - 123331 - LUN i not getting registered
- BZ - 128428 - Opteron gettimeofday granularity problem
- BZ - 128788 - RHEL3 U6: Diskdump support for Compaq Smart Array Controllers (cciss)
- BZ - 128907 - iostat -x 1 5 give bogus statistics...
- BZ - 129853 - RHEL3 U4: need netdump to work with the bonding driver
- BZ - 131029 - gart errors when using 2.4.21-15.0.3.EL.smp or -9.0.1 on AMD64 quad system
- BZ - 131136 - [Patch] Simultaneous calls to open() on a usb device hangs the kernel
- BZ - 131886 - __put_task_struct unresolved when loading externally compiled module
- BZ - 132754 - char-major-10-184 microcode error with kernel 2.4.21-15.ELhugemem
- BZ - 134579 - bogus data in /proc/partitions for IDE whole-disk device
- BZ - 137788 - Extraneous data in option name for scsi_mod
- BZ - 138192 - gart errors when using 2.4.21-20.EL on HP DL585
- BZ - 138534 - CAN-2004-1056 insufficient locking checks in DRM code
- BZ - 139033 - RHEL3 U5: netdump does not work over bonded interfaces
- BZ - 139113 - System hangs for 15-45 seconds on RHEL3 / kernel 2.4.21-20.EL
- BZ - 140849 - "fdisk -l" broken when over 26 EMC Powerpath disks
- BZ - 142263 - Only 16 EMC powerpath LUNs usable with LVM1
- BZ - 142532 - error unmounting /var filesystem while shutdown
- BZ - 142586 - Potential kernel DOS
- BZ - 142856 - 'ghosted' autofs shares disappear
- BZ - 142960 - Unable to umount /var during shutdown process when connected with ssh
- BZ - 143823 - [PATCH] Stale POSIX flock
- BZ - 144524 - CAN-2005-0179 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS
- BZ - 144781 - Kernel panic in shutdown path when iSCSI LUNs are mounted
- BZ - 145476 - netdump client/server problems
- BZ - 145551 - Use of bonding driver in mode 5 can cause multicast packet loss
- BZ - 145950 - high loads / high iowait / up 100% cpu time for kscand on oracle box
- BZ - 146080 - CAN-2005-0124 Coverity: coda fs flaw
- BZ - 146105 - CAN-2005-0504 moxa CAP_SYS_RAWIO missing (-unsupported)
- BZ - 146460 - Need openIPMI driver to work with IBM's x336 BMC [PATCH]
- BZ - 147823 - FEAT: RHEL3 U6: Enable dual-core processors from Intel
- BZ - 148862 - CAN-2005-0136 ptrace corner cases on ia64
- BZ - 149011 - Oracle 8 import of Oracle 9 database can lock system.
- BZ - 149405 - LTC13257-LTPstress sigaction01 Testcase Ends up Segmentation Fault [PATCH]
- BZ - 149636 - Kernel panic (EIP is at find_inode)
- BZ - 149691 - No data avaliable for eth card
- BZ - 149965 - panic at ia64_leave_kernel [kernel] 0x1 (2.4.21-27.EL)
- BZ - 150019 - Don't oom kill TASK_UNINTERRUPTIBLE processes
- BZ - 150130 - e1000 has memory leak when run continuously getting new dhcp leases.
- BZ - 150209 - Over time, autofs leaks kernel memory in the size-256 slab
- BZ - 151054 - kernel panic when bringing up and down multiple interfaces simultaneously
- BZ - 151488 - sk98lin driver drops udp packets
- BZ - 151920 - 8GB SMP servers appear to hang in VM subsystem under stress
- BZ - 152400 - CAN-2005-0400 ext2 mkdir() directory entry random kernel memory leak
- BZ - 152406 - CAN-2005-0815 isofs range checking flaws
- BZ - 153775 - [RHEL3-U6][Diskdump] Backtrace of OS_INIT doesn't work
- BZ - 154245 - RHEL3 U4 - kswapd/rpciod deadlock
- BZ - 154678 - [Texas Instruments] nfs bindresvport: Address already in use
- BZ - 154797 - [RHEL3 U6] diskdump fails with block_order=8
- BZ - 154925 - [RHEL3 U6] Diskdump fails if module parameter 'block_order' has too big value
- BZ - 155244 - Kernel Panics on kernel 2.4.21-27
- BZ - 155259 - [LSI Logic] Feature RHEL: Add mpt fusion SAS support, and new PCI IDs
- BZ - 155289 - [RHEL 3 U6]inode_lock deadlock/race?
- BZ - 155365 - 20041216 ROSE ndigis verification
- BZ - 155473 - ext3 data corruption under Samba share
- BZ - 155978 - CAN-2005-1762 x86_64 sysret exception leads to DoS
- BZ - 156142 - kernel may oops if more than 4k worth of string data returned in /proc/devices
- BZ - 156364 - [RHEL3] IPv6 Neighbor Cache : RHEL 3.0 does not update the IsRouter flag in the cache entry and improperly remove router from the Default Router List.
- BZ - 156608 - [RHEL3 U4] The system clock gains much time when netconle is activated.
- BZ - 156644 - CRM 479318 Unexpected IO-APIC on Opteron system
- BZ - 156831 - sd _mod doesn't handle removable drives (USB floppy) well
- BZ - 156923 - PPC64 not setting backchain in signal frames
- BZ - 156985 - FEAT: RHEL3 U6: cciss driver updates (STOPSHIP)
- BZ - 156989 - FEAT: RH EL 3 U6: diskdump driver
- BZ - 156991 - RHEL3 U6: Add 'ht' flag in EM64T /proc/cpuinfo [PATCH]
- BZ - 156993 - FEAT: RHEL3 U6: Add ICH4L support to kernel (MEDIUM)
- BZ - 156994 - 529692 - /proc/stat documentation is out of date.
- BZ - 156998 - RHEL 3 U6: Use of Performance Monitoring Counters based on Model number (x86-64)
- BZ - 157075 - When an AX100i SP reboot occurs, the Cisco iSCSI driver doesnt log back into array.
- BZ - 157434 - FEAT RHEL3 U6: Need e1000 driver Update to v.6.0.54 or higher (MUSTFIX)
- BZ - 157439 - LTC14642-NetDump is too slow to dump...[PATCH]
- BZ - 157446 - [RFE] [RHEL3 U6]Update 3w-9xxx driver
- BZ - 157571 - [CRM 511714] bonding and arp ping failure detection
- BZ - 157669 - attempt to access beyond end of device: ext2 symlink/EA problem
- BZ - 157846 - Potential kernel panic with stale POSIX locks
- BZ - 157849 - IPVS panic at ip_vs_conn_flush() when unloading ip_vs module
- BZ - 158358 - Updated Qlogic driver is requested in RHEL 3 U6
- BZ - 158456 - Update Emulex driver in RHEL 3 U6
- BZ - 158457 - Long tape commands (e.g. erase) timeout on dpt_i2o.
- BZ - 158459 - RHEL 3 configures non-existent SCSI target devices
- BZ - 158581 - FEAT RHEL3U6: new devices supported by tg3 (STOPSHIP)
- BZ - 158724 - CAN-2005-0210 dst leak
- BZ - 158814 - FEAT: [RHEL3 U6] add PCI_VENDOR_ID_NEC to megaraid subsysvid
- BZ - 158817 - Adding 3pardata to the scsi device whitelist
- BZ - 158877 - [RHEL3 U4] setsockopt SO_RCVTIMEO call fails from a 32 bit binary running on a x86_64 system
- BZ - 158880 - [Patch] RHEL3 U6: lower severity of blk: queue xxxx printks (~MF)
- BZ - 159045 - CAN-2005-1767 x86_64 crashes from context switches on stk-seg-fault stack
- BZ - 159300 - FEAT: RHEL3 U6: Update e100 driver to later than v.3.4.1
- BZ - 159330 - x86_64 kernel stops allocating memory too early when overcommit_memory set to strict
- BZ - 159420 - RHEL3 U6: ESB2 support (PATA, SATA, USB, SMBUS, LPC, Audio and AHCI)
- BZ - 159790 - ptrace changes to registers during ia32 syscall tracing stop are lost
- BZ - 159814 - x86-64 PTRACE_SETOPTIONS does not support most option flags
- BZ - 159823 - CAN-2005-1761 local user can use ptrace to crash system
- BZ - 159915 - CAN-2005-1762 x86_64 crash (ptrace-canonical)
- BZ - 159917 - CAN-2005-0756 x86_64 crash (ptrace-check-segment)
- BZ - 159938 - Diskdump disk controllers support
- BZ - 159979 - Fix dangling pointer in acpi_pci_root_add()
- BZ - 159989 - [RHEL3][PATCH] suppress medum-not-present messages from idefloppy
- BZ - 159991 - [taroon patch] fix for indefinite postponement under __alloc_pages()
- BZ - 159992 - Add docs detailing which drivers support netconsole
- BZ - 159993 - CAN-2005-2553 x86_64 fix for 32-bit ptrace find_target() oops
- BZ - 160093 - [RHEL3][PATCH] suppress medum-not-present messages from idefloppy
- BZ - 160199 - CAN-2005-1768 64bit execve() race leads to buffer overflow
- BZ - 160392 - Memory Leak in autofs
- BZ - 160400 - The AHCI driver was incorrectly resetting the hardware on error
- BZ - 160495 - RHEL 3 U5 code base contains duplicate USB ESSENTIAL_REALITY
- BZ - 160664 - cable link state ignored on ethernet card (b44).
- BZ - 160752 - accounting of SETITIMER_PROF inaccurate
- BZ - 160799 - Kernel panic: pci_map_single: high address but no IOMMU.
- BZ - 160820 - nVidia driver requires upstream page_attr patch
- BZ - 161097 - CRM 565876: samba-3.0.8pre1-smbmnt.patch to fix smbmount UID wraparound bug for RHEL3 Samba packages
- BZ - 161238 - superbh function causing a server to crash when Veritas Volume Manager Modules for VxVM 4.0 are loaded.
- BZ - 161657 - iscsi_sfnet driver does not calculate ConnFailTimeout correctly when greater than 15 secs
- BZ - 161957 - CRM: 507606 / short freezes on Informix server
- BZ - 161986 - RHEL3 U5 panic in kmem_cache_grow
- BZ - 162103 - add SGI scsi devices to list in scsi_scan.c
- BZ - 162603 - dpt_i2o driver oopses on insmod in U5
- BZ - 163152 - Initiator does not retry login on target error when PortalFailover is disabled
- BZ - 164074 - Placeholder for 2.4.x SATA update 20050723-1
- BZ - 164185 - rpm install of -33.EL on ia64 gets unresolved pm_power_off symbol
- BZ - 164226 - User-mode program run on IA64 AS 3.0 causes system to crash due to invalid stack pointer
- BZ - 164819 - [RHEL3U6] diskdump - scsi dump fails with module CRC error
- BZ - 165467 - [RHEL3 U6] Fix to update openipmi drivers for Dell 8G server line (MUSTFIX)
- BZ - 165565 - CAN-2005-2456 IPSEC overflow
- BZ - 165739 - LTC14996-IPMI driver is broken on multiple platforms
- BZ - 165841 - [RHEL3U6] diskdump fails with machine check error on x86_64
- BZ - 165850 - Disable FAN processing in Emulex lpfc driver
- BZ - 165866 - Add Invista to RHEL 3 SCSI Whitelist
- BZ - 165993 - NFS deadlock when multiple processes creating/deleting a file
- BZ - 166066 - IBM TapeLibrary 3583
- BZ - 166132 - CAN-2005-2555 IPSEC lacks restrictions
- BZ - 166172 - Kernel crash on 2.4.21-34 base due to kiobuf_init() setting the initialized state when expand_kiobuf() was not called.
- BZ - 166329 - CAN-2005-2490 sendmsg compat stack overflow
- BZ - 167047 - cciss, add pci id for P400
- BZ - 167222 - [BETA RHEL3 U6] kernel panic while booting numa=off on x86_64
- BZ - 167265 - drivers/addon/lpfc/lpfcdfc/Makefile change causing intermittent build failures
- BZ - 167369 - [RHEL3] cosmetic change to IPMI drivers to update version revision number
CVEs
References
(none)
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.