RHSA-2006:0144 - Security Advisory

Topic

Updated kernel packages are now available as part of ongoing support and
maintenance of Red Hat Enterprise Linux version 3. This is the seventh
regular update.

This security advisory has been rated as having moderate security impact
by the Red Hat Security Response Team.

Description

The Linux kernel handles the basic functions of the operating system.

This is the seventh regular kernel update to Red Hat Enterprise Linux 3.

New features introduced by this update include:

• addition of the bnx2, dell_rbu, and megaraid_sas device drivers
• support for multi-core, multi-threaded Intel Itanium processors
• upgrade of the SATA subsystem to include ATAPI and SMART support
• optional tuning via the new numa_memory_allocator, arp_announce,

and printk_ratelimit sysctls

There were many bug fixes in various parts of the kernel. The ongoing
effort to resolve these problems has resulted in a marked improvement in
the reliability and scalability of Red Hat Enterprise Linux 3.

There were numerous driver updates and security fixes (elaborated below).
Other key areas affected by fixes in this update include the networking
subsystem, the VM subsystem, NPTL handling, autofs4, the USB subsystem,
CPU enumeration, and 32-bit-exec-mode handling on 64-bit architectures.

The following device drivers have been upgraded to new versions:

aacraid -------- 1.1.5-2412
bnx2 ----------- 1.4.30 (new)
dell_rbu ------- 2.1 (new)
e1000 ---------- 6.1.16-k3
emulex --------- 7.3.3
fusion --------- 2.06.16.02
ipmi ----------- 35.11
megaraid2 ------ v2.10.10.1
megaraid_sas --- 00.00.02.00 (new)
tg3 ------------ 3.43RH

The following security bugs were fixed in this update:

• a flaw in gzip/zlib handling internal to the kernel that allowed

a local user to cause a denial of service (crash)
(CVE-2005-2458,low)

• a flaw in ext3 EA/ACL handling of attribute sharing that allowed

a local user to gain privileges (CVE-2005-2801, moderate)

• a minor info leak with the get_thread_area() syscall that allowed

a local user to view uninitialized kernel stack data
(CVE-2005-3276, low)

Note: The kernel-unsupported package contains various drivers and modules
that are unsupported and therefore might contain security problems that
have not been addressed.

All Red Hat Enterprise Linux 3 users are advised to upgrade their
kernels to the packages associated with their machine architectures
and configurations as listed in this erratum.

Solution

Before applying this update, make sure that all previously released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

• Red Hat Enterprise Linux Server 3 x86_64
• Red Hat Enterprise Linux Server 3 ia64
• Red Hat Enterprise Linux Server 3 i386
• Red Hat Enterprise Linux Workstation 3 x86_64
• Red Hat Enterprise Linux Workstation 3 ia64
• Red Hat Enterprise Linux Workstation 3 i386
• Red Hat Enterprise Linux Desktop 3 x86_64
• Red Hat Enterprise Linux Desktop 3 i386
• Red Hat Enterprise Linux for IBM z Systems 3 s390x
• Red Hat Enterprise Linux for IBM z Systems 3 s390
• Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

• BZ - 112004 - pppd receives error "Couldn't get channel number: bad address"
• BZ - 112066 - RHEL3 U5: Support for SATA features of ICH6R (for U3, AHCI only)
• BZ - 117067 - RHEL3 U3: ICH6 SATA support in ACHI mode
• BZ - 122256 - RHEL3 U6: SATA ATAPI support (HW)
• BZ - 125642 - kernel's Makefile not suited for long directory paths
• BZ - 128015 - RHEL3 U4: SATA AHCI (ICH6)
• BZ - 129265 - kernel panic when repeatedly accessing /proc/bus/usb/devices and hot-swapping usb device
• BZ - 130387 - Processes with Large memory requirment causes swap usage with free memory is present.
• BZ - 130489 - kernel kills db2 processes because of OOM error on RHEL Update2 and Update3
• BZ - 130712 - RHEL3 U7: Add SMART capabilities to libata.
• BZ - 131295 - Hugepages configured on kernel boot line causes x86_64 kernel boot to fail with OOM.
• BZ - 132547 - oops when "scsi add-single-device" sent to /proc/scsi/scsi using aic79xx
• BZ - 134506 - [RHEL3 U3] kernel BUG at exit.c:620!
• BZ - 136583 - LTC18371- [RHEL3 U4]cpu_sibling_map[] is incorrect on x445/x440
• BZ - 137101 - 'noht' does not work for ia32e
• BZ - 137344 - Cannot disable hyperthreading on x86_64 platform
• BZ - 137998 - autofs removes leading path components of /net mounts on timeout
• BZ - 138730 - LTC12369-In RHEL 3 U4 -- top command gave segmentation fault
• BZ - 142579 - Viper: install kernel panics on DP system with 4GB all on cpu#2
• BZ - 144033 - [RHEL3] poll() seems to ignore large timeout
• BZ - 145596 - SMART support in SATA driver
• BZ - 146663 - pl2303 kernel module doesn't work with 'Aten UC-232A'
• BZ - 147870 - O_DIRECT to sparse areas of files give incomplete writes
• BZ - 150559 - Can't install RHEL3 on system with Adaptec AAR 1210SA SATA controller (sata_sil - siimage problem)
• BZ - 152103 - RHEL3 U5: rhgb-client shows illegal instruction and fails.
• BZ - 152650 - aacraid driver in RHEL 3 U4 em64t causes kernel panic
• BZ - 154028 - megaraid2 driver causes panic if loaded for a second time
• BZ - 154385 - Crash on relocated automounts with --bind
• BZ - 156396 - System crash when dump or tar 64k blocksize to tape from raid
• BZ - 156397 - LTC13414-32-bit ping6 on 64-bit kernel not working
• BZ - 156645 - [RHEL3 U5] fails to boot installer on multiple platforms
• BZ - 156987 - FEAT: RHEL3 U5: need hint@pause in ia64 spinloops
• BZ - 156988 - FEAT RHEL3 U7 IPF - performance improvement for the system which CPEI occur continuously.
• BZ - 156999 - RHEL 3 U6: Support for cache identification through 'Deterministic Cache Parameters' [cpuid(4)]
• BZ - 157006 - [ CRM 488904 ] driver update for Adaptec 2410SA needed (1.1.5-2361 > 1.1.5-2371 or higher)
• BZ - 158819 - RHEL3 does not support USBDEVFS 32-bit ioctls on x86_64
• BZ - 158821 - Advanced server 3 ARP timeout messages
• BZ - 159326 - RSS limited to 1.8GB if process pinned to one CPU
• BZ - 159523 - [RHEL3] Does not boot on system with ACPI table crossing page boundary
• BZ - 159874 - [RHEL 3 U5] adding hotplug drive causes kernel panic
• BZ - 159977 - [RHEL3] vi --- files getting deleted
• BZ - 160009 - agpgart will not load for kernel 2.4.21-32 on tyan S2885 motherboard with AMD-8151 agp tunnel
• BZ - 160337 - Keyboard "jammed" during smp runlevel 5 boot on IBM HS20-8843 BladeServer
• BZ - 160539 - [RHEL3] hidden bomb of kmap_atomic/kunmap_atomic bug?
• BZ - 161056 - CVE-2005-2801 Lost ACLs on ext3
• BZ - 161160 - Reproducable panic in mdadm multipathing
• BZ - 161188 - Sometimes data/bss can be executable
• BZ - 161336 - xserver issue on blade center
• BZ - 161866 - Race condition accessing PCI config space
• BZ - 161875 - autofs doesn't remount if nfs server is unreachable at expire time
• BZ - 162065 - aacraid driver hangs if Adaptec 2230SLP array not optimal
• BZ - 162212 - st causes system hang and kernel panic when writing to tape on x86_64
• BZ - 162271 - Problem with b44: SIOCSIFFLAGS: Cannot allocate memory
• BZ - 162417 - (VM) Excessive swapping when free memory is ample
• BZ - 162683 - [RHEL3 and RHEL2.1] ps command core dump
• BZ - 162735 - LTC8356-LSB runtime testcase T.c_oflag_X failed [PATCH]
• BZ - 163176 - Endless loop printing traceback during kernel OOPs
• BZ - 163184 - Explain why the SCSI inquiry is not being returned from the sd for nearly 5 minutes
• BZ - 163239 - [RHEL3] change_page_attr may set _PAGE_NX for kernel code pages
• BZ - 163307 - LTC13178-panic on i5 - sys_ppc32.c 32 bit sys_recvmsg corrupting kernel data structures
• BZ - 163381 - RHEL3U5 x86-64 : xw9300 & numa=on swaps behaviour is unexpected
• BZ - 163901 - FEAT: RHEL3 U6: ia64 multi-core and multi-threading detection
• BZ - 163929 - [RHEL3] [x86_64/ia64] sys_time and sys_gettimeofday disagree
• BZ - 164206 - U5 beta encounters NMI watchdog on Celestica Quartet with 4 Opteron 875 dualcores
• BZ - 164304 - [RHEL3 U5] __wtd_down_from_wakeup not in EL3 ia64 tree
• BZ - 164438 - LTC12403-CMVC482920:I/O errors caused by eeh error injection-drive unavailable
• BZ - 164580 - NFS lockd deadlock
• BZ - 164795 - /usr/src/linux-2.4.21-32.EL/Documentation/networking/e100.txt contians bad info
• BZ - 164828 - RHEL 3 - request to add bnx2 driver
• BZ - 165006 - acct does not have Large File Support
• BZ - 165119 - FEAT RHEL3U7: Need Intel e1000 driver update for the Dell Ophir/Rimon based PCI-E NICs
• BZ - 165364 - SMP kernel does not honor boot parameter "noht"
• BZ - 165412 - [RHEL3] The system hangs when SysRq + c is pressed
• BZ - 165453 - Panic after ENXIO with usb-uhci
• BZ - 165475 - Problem removing a USB device
• BZ - 165680 - CVE-2005-2458 gzip/zlib flaws
• BZ - 165825 - Inquiry (sg) command hang after a write to tape with mptscsi driver
• BZ - 165989 - The msync(MS_SYNC) call should fail after cable pulled from scsi disk
• BZ - 166345 - HA NFS Cluster Problem
• BZ - 166363 - cciss disk dump hangs if module is ever unloaded/reloaded
• BZ - 166364 - Erratic behaviour when system fd limit reached
• BZ - 166578 - aacraid driver needs to be updated to support IBM ServeRAID 8i
• BZ - 166583 - aacraid driver needs to be updated to support IBM ServeRAID 8i
• BZ - 166600 - CRM619504: setrlimit RLIMIT_FSIZE limited to 32-bit values, even on 64-bit kernels
• BZ - 166669 - [RHEL3 U5] waitpid() returns unexpected ECHILD
• BZ - 167674 - RHEL3: need updated forcedeth.o driver?
• BZ - 167800 - CRM648268: kernel reporting init process cutime as very large negative value
• BZ - 167942 - FEAT RHEL3 U7: Need 'bnx2' driver inclusion to support Broadcom 5708C B0 NIC and 5708S BO LOM
• BZ - 168226 - FEAT RHEL3 U7: LSI megaraid_sas driver
• BZ - 168293 - Potential netconsole regression in transmit path
• BZ - 168315 - LTC17567-Fields 'system_potential_processor' and 'partition_max_entiteled_capacity' fields are missing from lparcfg file
• BZ - 168358 - FEAT RHEL3 U7: ipmi driver speedup patch
• BZ - 168359 - FEAT RHEL3 U7: ipmi_poweroff driver update for Dell <8G servers
• BZ - 168390 - Large O_DIRECT write will hang system (MPT fusion)
• BZ - 168392 - kill -6 of multi-threaded application takes 30 minutes to finish
• BZ - 168474 - FEAT RHEL3-U7: Support for HT1000 IDE chipset needed
• BZ - 168541 - RHEL3 U7: x86_64: Remove unique APIC/IO-APIC ID check
• BZ - 168581 - RH EL 3 U7: add support for Broadcom 5714 and 5715C NICs
• BZ - 168597 - FEAT RHEL3 U7: add dell_rbu driver for Dell BIOS updates
• BZ - 168603 - FEAT RHEL3 U7: Need TG3 update to support Broadcom 5721 C1 stepping
• BZ - 168681 - kernel BUG at page_alloc.c:391!
• BZ - 168780 - CVE-2005-3276 sys_get_thread_area minor info leak
• BZ - 168795 - RHEL3U7: ipmi driver fix for PE2650
• BZ - 168896 - LSI MegaRAID RHEL3 Feature - Updated SCSI driver submission
• BZ - 169230 - nfs client: handle long symlinks properly
• BZ - 169294 - [RHEL3 U6] __copy_user/memcpy causes random kernel panic on IA-64 systems
• BZ - 169393 - CRM# 685278 scsi scan not seeing all luns when one lun removed
• BZ - 169511 - [RHEL3] 'getpriority/setpriority' broken with PRIO_USER, who=0
• BZ - 169662 - [RHEL3 U5] Performance problem while extracting tarballs on Fujitsu Siemens Computing D1409, Adaptec S30 array, connected to an aacraid controller.
• BZ - 169992 - LTC18779-Lost dirty bit in kernel memory managment [PATCH]
• BZ - 170429 - RHEL-3: 'physical id' field in /proc/cpuinfo incorrect on AMD-64 hosts
• BZ - 170440 - [RHEL3 U5] Kernel crashing, multiple panics in aacraid driver
• BZ - 170446 - [RHEL3 U7] netdump hangs in processing of CPU stop after diskdump failed.
• BZ - 170529 - LTC17955-82222: Support for Serverworks chipset HT2000 Ethernet Driver (BCM5700 & TG3)
• BZ - 170561 - Broadcom 5706/5708 support
• BZ - 170633 - System Stops responding with "queue 6 full" messages
• BZ - 171129 - RedHat / XW9300 / system panic when logout from GNOME with USB mouse
• BZ - 171377 - LTC18818-pfault interupt race
• BZ - 172233 - rename(2) onto an empty directory fails on NFS file systems
• BZ - 172334 - Invalid message 'Aieee!!! Remote IRR still set after unlock'
• BZ - 172664 - Updated header file with modified author permissions
• BZ - 173280 - New icache prune export
• BZ - 174005 - Update Emulex lpfc driver for RHEL 3
• BZ - 175017 - Assertion failed! idx >= ARRAY_SIZE(xfer_mode_str),libata-core.c,ata_dev_set_mode,line=1673
• BZ - 175154 - [RHEL3 U6] IOs hang in __wait_on_buffer when segments > 170
• BZ - 175211 - Multicast domain membership doesn't follow bonding failover
• BZ - 175365 - LTC19816-Cannot see a concho adapter on U7 kernel
• BZ - 175624 - [RHEL3 U7 PATCH] LSI PCI Express chips to operate properly
• BZ - 175625 - [RHEL3 U7] x86-64: Can't boot with 16 logical processors
• BZ - 175767 - Installer appears to hang when loading mptbase module
• BZ - 176264 - x366 NMI error logged in infinite loop - [crm#769552] Possible regression U7 beta
• BZ - 177023 - CRM 724200: when an active USB serial port device is removed, the system panics and locks up.
• BZ - 177573 - autofs doesn't attempt to remount failed mount points
• BZ - 177691 - negative dentry caching causes long delay when dentry becomes valid
• BZ - 179168 - RHEL3U7Beta-32: Booting/Installing with SATA ATAPI Optical panics

CVEs

• CVE-2005-2801
• CVE-2005-3276
• CVE-2005-2458
• CVE-2005-4798

References

(none)