RHSA-2006:0575 - Security Advisory

Topic

Updated kernel packages are now available as part of ongoing support
and maintenance of Red Hat Enterprise Linux version 4.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

This is the fourth regular update to Red Hat Enterprise Linux 4.

Description

New features introduced in this update include:

• Device Mapper mirroring support
• IDE diskdump support
• x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements
• Itanium: perfmon support for Montecito
• much improved support for IBM x460
• AMD PowerNow! patches to support Opteron Rev G
• Vmalloc support > 64MB

The following device drivers have been upgraded to new versions:

ipmi: 33.11 to 33.13
ib_mthca: 0.06 to 0.08
bnx2: 1.4.30 to 1.4.38
bonding: 2.6.1 to 2.6.3
e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI
e1000: 6.1.16-k3-NAPI to 7.0.33-k2-NAPI
sky2: 0.13 to 1.1
tg3: 3.43-rh to 3.52-rh
ipw2100: 1.1.0 to git-1.1.4
ipw2200: 1.0.0 to git-1.0.10
3w-9xxx: 2.26.02.001 to 2.26.04.010
ips: 7.10.18 to 7.12.02
iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3
lpfc: 0:8.0.16.18 to 0:8.0.16.27
megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1
qla2xxx: 8.01.02-d4 to 8.01.04-d7
qla6312: 8.01.02-d4 to 8.01.04-d7
sata_promise: 1.03 to 1.04
sata_vsc: 1.1 to 1.2
ibmvscsic: 1.5.5 to 1.5.6
ipr: 2.0.11.1 to 2.0.11.2

Added drivers:

dcdbas: 5.6.0-2
sata_mv: 0.6
sata_qstor: 0.05
sata_uli: 0.5
skge: 1.1
stex: 2.9.0.13
pdc_adma: 0.03

This update includes fixes for the security issues:

• a flaw in the USB devio handling of device removal that allowed a

local user to cause a denial of service (crash) (CVE-2005-3055,
moderate)

• a flaw in the ACL handling of nfsd that allowed a remote user to

bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623,
moderate)

• a flaw in the netfilter handling that allowed a local user with

CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low)

• a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that

allowed a local user to cause a denial of service (crash) or to retrieve
random kernel data (CVE-2006-0456, important)

• a flaw in the keyctl functions that allowed a local user to cause a

denial of service (crash) or to read sensitive kernel memory
(CVE-2006-0457, important)

• a flaw in unaligned accesses handling on Itanium processors that

allowed a local user to cause a denial of service (crash)
(CVE-2006-0742, important)

• a flaw in SELinux ptrace logic that allowed a local user with ptrace

permissions to change the tracer SID to a SID of another process
(CVE-2006-1052, moderate)

• an info leak on AMD-based x86 and x86_64 systems that allowed a local

user to retrieve the floating point exception state of a process run by a
different user (CVE-2006-1056, important)

• a flaw in IPv4 packet output handling that allowed a remote user to

bypass the zero IP ID countermeasure on systems with a disabled firewall
(CVE-2006-1242, low)

• a minor info leak in socket option handling in the network code

(CVE-2006-1343, low)

• a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to

cause a denial of service (crash) (CVE-2006-1857, moderate)

• a flaw in the SCTP implementation that allowed a remote user to cause a

denial of service (deadlock) (CVE-2006-2275, moderate)

• a flaw in the socket buffer handling that allowed a remote user to cause

a denial of service (panic) (CVE-2006-2446, important)

• a flaw in the signal handling access checking on PowerPC that allowed a

local user to cause a denial of service (crash) or read arbitrary kernel
memory on 64-bit systems (CVE-2006-2448, important)

• a flaw in the netfilter SCTP module when receiving a chunkless packet

that allowed a remote user to cause a denial of service (crash)
(CVE-2006-2934, important)

There were several bug fixes in various parts of the kernel. The ongoing
effort to resolve these problems has resulted in a marked improvement
in the reliability and scalability of Red Hat Enterprise Linux 4.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 141342 - install hangs on Dell PowerVault 745 with SATA drives (sata_vsc module)
• BZ - 149933 - fix missing wakeup in ipc/sem
• BZ - 151981 - udevd fails to create /dev files after misc_register
• BZ - 154984 - Sound Blaster Audigy 2 Value audio does not work
• BZ - 155926 - [RHEL4-U2][Diskdump] OS_INIT dump function is broken
• BZ - 156145 - kernel may oops if more than 4k worth of string data returned in /proc/devices
• BZ - 156663 - Can't install from SATA CD/DVD drive
• BZ - 157404 - Loss of SATA ICH device hangs RAID1
• BZ - 157902 - [PATCH] ata_piix fails on some ICH7 hardware
• BZ - 158989 - snd-nm256 module hangs Dell Latitude CSx
• BZ - 165113 - kernel build broken when 4KSTACKS disabled
• BZ - 165245 - EHCI Host driver violates USB2.0 Specification leading to device failures
• BZ - 166541 - mdadm --grow infinite resync
• BZ - 168285 - No (useful) logging of parameters to execve
• BZ - 169260 - CVE-2005-3055 async usb devio oops
• BZ - 169456 - COMM_LOST problem with SCTP stream socket
• BZ - 169600 - SMP kernel crash when use as LVS router
• BZ - 170143 - rm command hangs when removing a symlink on ext2 loop filesystem
• BZ - 170434 - Deadlock in fc_target_unblock while shutting down the system
• BZ - 171304 - sata_promise: missing PCI ID for SATA300 TX4
• BZ - 171645 - Oops kernel NULL pointer
• BZ - 171740 - ipw2100 modules crashes and restarts whenever in use
• BZ - 172199 - Spurious keyboard repeats and clock is fast
• BZ - 172696 - kernel panic after a few hours/days of operation with pulse
• BZ - 173193 - vmalloc limited to 64Mb
• BZ - 173489 - kernel panics when rebooting
• BZ - 173843 - Kernel panic with this comment: <4>VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
• BZ - 173895 - Kernel panic on install on 64BG EM64T
• BZ - 174019 - TG3 driver crashes with BCM4704C chipset with heavy traffic
• BZ - 174155 - Documentation mismatch
• BZ - 174470 - RFE: tg3 support for Broadcom 5751 PCIe
• BZ - 174639 - System hangs with kernel panic when using current 3ware drivers
• BZ - 174671 - [PATCH] bonding: don't drop non-VLAN traffic
• BZ - 175616 - [RHEL 4 U2] kernel panic on EM64T with long cmdline args
• BZ - 175763 - misleading overcommit_memory reference in Documentation/filesystems/proc.txt
• BZ - 175778 - Accessing automounted directories can cause a process to hang forever
• BZ - 175854 - [RHEL4-U3] Checking dump partition fails when a swap partition whose size is less than memory size is configured for diskdump.
• BZ - 176107 - sata-nv crashes on multiple SATA disks
• BZ - 176173 - The hash.h hash_long function, when used on a 64 bit machine, ignores many of the middle-order bits.
• BZ - 176361 - io_setup() fails for 32bit tasks in x86-64
• BZ - 176601 - Oprofile unsupported recent Pentium4
• BZ - 176612 - xw6400 System panic while installing RHEL4-U3
• BZ - 177439 - SELinux MLS compatibility
• BZ - 177509 - No i915 DRM module
• BZ - 178084 - Last AIO read of a file opened with O_DIRECT returns wrong length
• BZ - 178720 - O_DIRECT bug when reading last block of sparse file
• BZ - 178845 - RHEL4u4 FEAT: Provide support for Opteron Rev G and Power Now! clean-up
• BZ - 179206 - Please backport the sata_mv Marvell MV88SX5081 driver?
• BZ - 179334 - kernel boot can Oops in work queue code when console blanks
• BZ - 179752 - Request to update lpfc driver in RHEL 4 U4
• BZ - 180028 - deadlocks on ext2,sync mounted fs
• BZ - 180138 - kmir_mon worker thread doesn't exit
• BZ - 180195 - aic7xxx and aic79xx Drivers Don't Support 16-byte CDBs
• BZ - 180568 - typo in spinlock.h? line 407
• BZ - 180621 - ipv6 ready logo-P1 ND Test24 fails- RA Lifetime=5 not understood
• BZ - 180958 - [RHEL4] MCE arg parsing broken on x86-64
• BZ - 181457 - Console redirection on DRAC 3 results in repeated key strokes (P1)
• BZ - 181475 - lpfc driver: add managment ioctl module to kernel tree
• BZ - 181780 - Gettimeofday() timer related slowdown and scaling issue
• BZ - 181793 - add MCP51/ NVidia 430 IDE support
• BZ - 181869 - Error given when duplicate non-updateable key (eg: keyring) added
• BZ - 181870 - Key quota handling incorrect in allocation
• BZ - 181879 - CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace
• BZ - 181881 - CVE-2006-0456 s390/s390x strnlen_user() is broken
• BZ - 182137 - NFS lockd recovery is broken in U3 due to missing code.
• BZ - 182684 - [EMC/Oracle RHEL 4.4] ISCSI MODULE SHOWS MULTIPLE DEVICES FOR A SINGLE LUN IN RHEL 4.0 U2
• BZ - 182726 - Possible hang when ptracing and using hugepages
• BZ - 183392 - [RHEL4] [RFE] Add diskdump capability to IDE
• BZ - 183416 - DoS attack possible via nfsservctl
• BZ - 183463 - CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic
• BZ - 183661 - ramfs: update dir mtime and ctime
• BZ - 183664 - dm: make sure don't give out the same minor number twice
• BZ - 184208 - Large LUNS can't be seen with Hitachi Open- SAN
• BZ - 184254 - PCI interrupts on ioapic pins 0-15 always get "legacy" IRQs.
• BZ - 184535 - [BETA RHEL4 U3] brokenness in cfq_dispatch_requests
• BZ - 184583 - Kernel should export number and state of local APICs
• BZ - 185043 - CVE-2005-3623 ACL setting on read-only fs
• BZ - 185289 - CVE-2006-1052 SELinux flaw
• BZ - 185431 - kernel dm: bad argument count check in dm-log.c
• BZ - 185444 - kernel dm: missing bdput
• BZ - 185445 - kernel dm: fix free_dev del_gendisk
• BZ - 185447 - kernel dm: flush queued bios if suspend is interrupted
• BZ - 185450 - kernel dm: log bitset fix BE find_next_zero_bit
• BZ - 185454 - kernel device-mapper mirroring: table output incorrect
• BZ - 185455 - kernel dm snapshots: replace siblings list
• BZ - 185456 - kernel dm mirroring: suspend operation is not well behaved
• BZ - 185459 - kernel dm snapshots: fix invalidation
• BZ - 185468 - kernel dm: striped access beyond end of device
• BZ - 185754 - [RHEL4 U3] kernel dm mirror: unrelated mirror devices stall if any log device fails
• BZ - 185782 - [RHEL4 U3] device-mapper mirror: Data corruption if the default mirror fails during recovery.
• BZ - 185785 - [RHEL4 U3] device-mapper mirror: Data corruption by temporal errors during recovery.
• BZ - 185991 - kernel dm: bio split bvec fix
• BZ - 186004 - [RHEL4 U3] device-mapper mirror: Write failure region becomes in-sync when suspension.
• BZ - 186057 - CVE-2006-1242 Linux zero IP ID vulnerability?
• BZ - 186066 - Connectathon tests fail against newer Irix server
• BZ - 186071 - NFSD fails SETCLIENTID_CONFIRM
• BZ - 186104 - kernel dm mirror: lvs Copy% overs 100% by lvreduce/lvresize.
• BZ - 186242 - CVE-2006-1343 Small information leak in SO_ORIGINAL_DST
• BZ - 186295 - CVE-2006-0038 netfilters do_replace() overflow
• BZ - 186316 - nvidia cache aliasing problem: change_page_attr drops GLOBAL bit from executable kernel pages
• BZ - 186564 - ACPI 2.0 systems with no XSDT fail to boot
• BZ - 186751 - kernel problem to deal with 3ware 9500SX-12 RAID cards
• BZ - 187249 - [RHEL4 U3] dm-mirror: read stalls if all mirrors failed
• BZ - 187494 - CVE-2006-2275 SCTP traffic probably never resumes
• BZ - 187498 - diskdump_sysfs_store() needs to check sscanf retval
• BZ - 187500 - diskdump_sysfs_store() should check partition number
• BZ - 187501 - device_to_gendisk() is lacking mntput(nd.mnt) on exit
• BZ - 187502 - diskdump - device_to_gendisk() is both racy
• BZ - 187910 - CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs
• BZ - 187951 - Replication failover fails if the NFS permissions are incorrect on one of the servers...
• BZ - 188080 - kernel dm snapshots: Incorrect processing of incorrect chunk size
• BZ - 188141 - Kernel appears too conservative in memory use
• BZ - 188296 - tlb_clear_slave races with tlb_choose_channel
• BZ - 188912 - Update Qlogic qla2xxx driver in RHEL 4 U4
• BZ - 189127 - Trouble with recent module - one packet is seen more than one time
• BZ - 189198 - VLAN not working on initial startup
• BZ - 189279 - [Stratus RHEL4 U4 bug] unchecked error path in usb_alloc_dev can lead to an Oops.
• BZ - 189390 - RHEL4-U3: openipmi: startup race condition
• BZ - 189392 - Submit Promise RHEL4 driver in-box to RHEL4 CD
• BZ - 189393 - Submit Promise RHEL4 driver in-box to RHEL4 CD
• BZ - 189397 - Submit Promise RHEL4 driver in-box to RHEL4 CD
• BZ - 189797 - dm: Fix mapped device references
• BZ - 190576 - REGRESSION: kabi breakage on ia64_mv
• BZ - 191138 - CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic
• BZ - 191139 - installer does not see SATA HDs attached to JMB360 chipset which in legacy mode
• BZ - 191141 - MCE arg parsing broken on x86-64
• BZ - 191723 - device-mapper mirror: Need proper notification of sync status chage on write failure
• BZ - 191847 - REGRESSION: kernel-2.6.9.36 does not boot on ALTIX systems
• BZ - 192098 - Fix problems with MSI-X on 64-bit platforms
• BZ - 192635 - CVE-2006-1857 SCTP HB-ACK chunk overflow
• BZ - 192779 - CVE-2006-2446 LTC20512-kernel BUG in __kfree_skb while running TCP+Kernel stress
• BZ - 193230 - RFE: add pci ids for atiixp
• BZ - 193696 - Not using all available system memory - swapping too aggressive - high load average (iowait)
• BZ - 193728 - A write to a cluster mirror volume not in sync will hang and also cause the sync to hang as well
• BZ - 193838 - gettimeofday goes backwards on IBM x460 merged servers
• BZ - 194215 - CVE-2006-2448 missing access_ok checks in powerpc signal*.c
• BZ - 194533 - veritas storage foundation 32bit apps crash in glibc during post-process installation
• BZ - 195002 - RHEL4 U4 i386 partner beta will not install on ES7000/one
• BZ - 195254 - HP xw9400 network card not getting seen
• BZ - 195502 - Regression: cluster mirror creation cmd hangs even though mirror gets created
• BZ - 196512 - VLANs, tg3 driver, and 2.6.9-34.EL kernel update
• BZ - 196712 - O=/objdir builds fail for out-of-tree builds with 2.6.9-39.4
• BZ - 197387 - CVE-2006-2934 SCTP netfilter DoS with chunkless packets
• BZ - 198321 - kernel freeze at "kernel BUG at kernel/timer.c:420!"
• BZ - 198892 - kernel deadlock on reading /proc/meminfo on 4 CPU's at the same time

CVEs

• CVE-2006-1056
• CVE-2006-1343
• CVE-2005-3055
• CVE-2006-0742
• CVE-2006-1242
• CVE-2006-2446
• CVE-2006-1052
• CVE-2006-0038
• CVE-2006-1857
• CVE-2006-2448
• CVE-2005-3623
• CVE-2006-2934
• CVE-2006-0456
• CVE-2006-0457
• CVE-2006-2275

References

• http://www.redhat.com/security/updates/classification/#important