RHSA-2008:0665 - Security Advisory

Topic

Updated kernel packages are now available as part of ongoing support and
maintenance of Red Hat Enterprise Linux 4. This is the seventh regular
update.

This update has been rated as having moderate security impact by the Red Hat
Security Response Team.

Description

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Kernel Feature Support:

• iostat displays I/O performance for partitions
• I/O task accounting added to getrusage(), allowing comprehensive core

statistics

• page cache pages count added to show_mem() output
• tux O_ATOMICLOOKUP flag removed from the open() system call: replaced

with O_CLOEXEC

• the kernel now exports process limit information to /proc/[PID]/limits
• implement udp_poll() to reduce likelihood of false positives returned

from select()

• the TCP_RTO_MIN parameter can now be configured to a maximum of 3000

milliseconds. This is configured using "ip route"

• update CIFS to version 1.50

Added Features:

• nfs.enable_ino64 boot command line parameter: enable and disable 32-bit

inode numbers when using NFS

• tick "divider" kernel boot parameter: reduce CPU overhead, and increase

efficiency at the cost of lowering timing accuracy

• /proc/sys/vm/nfs-writeback-lowmem-only tunable parameter: resolve NFS

read performance

• /proc/sys/vm/write-mapped tunable option, allowing the option of faster

NFS reads

• support for Large Receive Offload as a networking module
• core dump masking, allowing a core dump process to skip the shared memory

segments of a process

Virtualization:

• para-virtualized network and block device drivers, to increase

fully-virtualized guest performance

• support for more than three VNIF numbers per guest domain

Platform Support:

• AMD ATI SB800 SATA controller, AMD ATI SB600 and SB700 40-pin IDE cable
• 64-bit DMA support on AMD ATI SB700
• PCI device IDs to support Intel ICH10
• /dev/msr[0-n] device files
• powernow-k8 as a module
• SLB shadow buffer support for IBM POWER6 systems
• support for CPU frequencies greater than 32-bit on IBM POWER5, IBM POWER6
• floating point load and store handler for IBM POWER6

Added Drivers and Updates:

• ixgbe 1.1.18, for the Intel 82598 10GB ethernet controller
• bnx2x 1.40.22, for network adapters on the Broadcom 5710 chipset
• dm-hp-sw 1.0.0, for HP Active/Standby
• zfcp version and bug fixes
• qdio to fix FCP/SCSI write I/O expiring on LPARs
• cio bug fixes
• eHEA latest upstream, and netdump and netconsole support
• ipr driver support for dual SAS RAID controllers
• correct CPU cache info and SATA support for Intel Tolapai
• i5000_edac support for Intel 5000 chipsets
• i3000_edac support for Intel 3000 and 3010 chipsets
• add i2c_piix4 module on 64-bit systems to support AMD ATI SB600, 700

and 800

• i2c-i801 support for Intel Tolapai
• qla4xxx: 5.01.01-d2 to 5.01.02-d4-rhel4.7-00
• qla2xxx: 8.01.07-d4 to 8.01.07-d4-rhel4.7-02
• cciss: 2.6.16 to 2.6.20
• mptfusion: 3.02.99.00rh to 3.12.19.00rh
• lpfc:0: 8.0.16.34 to 8.0.16.40
• megaraid_sas: 00.00.03.13 to 00.00.03.18-rh1
• stex: 3.0.0.1 to 3.6.0101.2
• arcmsr: 1.20.00.13 to 1.20.00.15.rh4u7
• aacraid: 1.1-5[2441] to 1.1.5[2455]

Miscellaneous Updates:

• OFED 1.3 support
• wacom driver to add support for Cintiq 20WSX, Wacom Intuos3 12x19, 12x12

and 4x6 tablets

• sata_svw driver to support Broadcom HT-1100 chipsets
• libata to un-blacklist Hitachi drives to enable NCQ
• ide driver allows command line option to disable ide drivers
• psmouse support for cortps protocol

These updated packages fix the following security issues:

• NULL pointer access due to missing checks for terminal validity.

(CVE-2008-2812, Moderate)

• a security flaw was found in the Linux kernel Universal Disk Format file

system. (CVE-2006-4145, Low)

For further details, refer to the latest Red Hat Enterprise Linux 4.7
release notes: redhat.com/docs/manuals/enterprise

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 151085 - mount are not interruptible
• BZ - 166038 - ext2online can't resize: No space left on device
• BZ - 171712 - A NFS export mounted using version 4 and TCP shows up as UDP in /proc/mounts
• BZ - 179201 - pvmove causes kernel panic
• BZ - 183119 - Assertion failure in journal_next_log_block
• BZ - 185202 - Kernel build requires "High Memory Support"
• BZ - 186606 - Incorrect suggestion on when to install largesmp kernel
• BZ - 194585 - mdadm --grow -n 2 (old: 3) fails on particular raid1 devices
• BZ - 195685 - RFE: Add dm-hp-sw to kernel to allow use of active/passive sans with dm multipathing
• BZ - 204309 - kernel retries portmap query indefinitely when statd is down
• BZ - 205966 - Firewall - Premature ip_conntrack timer expiry on 3+ ack or window size advertisements - (hanging tomcat threads problem)
• BZ - 206113 - [PATCH][RHEL4U4] Fix estimate-mistake (e820-memory-hole and numnodes) of available_memory in x86_64
• BZ - 212321 - [PATCH][RHEL4U4] Backported udp_poll() function (Fix the problem that select() returns in RHEL4 though select() must not return essentially when kernel receives broken UDP packet(s))
• BZ - 212922 - /sbin/service iptables stop hangs on modprobe -r ipt_state
• BZ - 219639 - Crash dump fails on IA64 with block_order set to 10
• BZ - 227610 - READDIR on a NFSv4 directory containing a referral returns -EIO for entire directory
• BZ - 233234 - Missing definition for mutex_destroy in linux/kernel.h
• BZ - 247446 - RHEL4-U5: "cdrom open failed" message in /var/log/messages on every reboot
• BZ - 247879 - dm-mirror: spinlock in write_callback has the potential for deadlock
• BZ - 248488 - Backport divider= option from RHEL5 U1 to RHEL4
• BZ - 248787 - [RHEL4 U4] NFS server, rpciod was stuck in a infinite loop,
• BZ - 248954 - Oracle ASM DBWR process goes into 100% CPU spin when using hugepages on ia64
• BZ - 249727 - xenbus has use-after-free in drivers/xen/xenbus/xenbus_xs.c
• BZ - 250381 - xenbus suspend_mutex remains locked after transaction failure
• BZ - 250842 - oopses when multicasting with connection oriented socket
• BZ - 251560 - [Promise 4.7 feat] Update stex driver to version 3.6.0101.2
• BZ - 252222 - ipv6 device reference counting error in net/ipv6/anycast.c
• BZ - 252287 - AMD/ATI SB600/700/800 use same SMBus controller devID
• BZ - 252400 - RHEL4 U5: ia64 machine hang when DB starts using rac/nfs/hugepages
• BZ - 252939 - Long Delay before OOMKill launches
• BZ - 253592 - [RHEL 4.5] forcedeth: pull latest upstream updates
• BZ - 270661 - need a way to disable ide drivers
• BZ - 278961 - epoll_wait(..., -100) results in printk
• BZ - 280431 - ip_tables reference count will underflow occasionally
• BZ - 287741 - PCI: hotplug: acpiphp: avoid acpiphp "cannot get bridge info" PCI hotplug failure
• BZ - 299901 - We need SB800 SATA Controller supported in RHEL4.7
• BZ - 300861 - sb600 system generates ATA errors during initscripts
• BZ - 306911 - CVE-2006-4145 UDF truncating issue
• BZ - 309081 - i386 compressed diskdump header contains incorrect panic cpu
• BZ - 311431 - kernel BUG at mm/rmap.c:479 during suspend/resume testing
• BZ - 311881 - ptrace: i386 debugger + x86_64 kernel + threaded (i386) inferior = error
• BZ - 335361 - RHEL 4.7: SB700 contains two IDE channels
• BZ - 337671 - [RHEL4] Patch pata_jmicron to support new controller
• BZ - 351911 - RHEL4.6: AD1984 HDAudio does not work on AMD Trevally Board(RS690 + SB700)
• BZ - 354371 - readdir on nfs4 passing non-posix errors to userspace
• BZ - 355141 - pull upstream patches for smbfs
• BZ - 359651 - [PATCH] nfsv4 fails to update content of files when open for write
• BZ - 359671 - RHEL4: Hald causes system deadlock on ia64
• BZ - 360311 - kernel dm: panic on shrinking device size
• BZ - 361931 - [Stratus 4.7 bug] iounmap may sleep while holding vmlist_lock, causing a deadlock.
• BZ - 364361 - NFS: Fix directory caching problem - with test case and patch.
• BZ - 377351 - kernel dm: bd_mount_sem counter corruption
• BZ - 377371 - kernel dm crypt: oops on device removal
• BZ - 377611 - Marvell NIC using skge driver loses promiscuous mode on rewiring
• BZ - 381221 - Assertion failure in journal_start() at fs/jbd/transaction.c:274: 'handle->h_transaction->t_journal == journal'
• BZ - 393501 - execve returning EFBIG when running 4 GB executable
• BZ - 396081 - Since "Patch2037: linux-2.6.9-vm-balance.patch" my NFS performance is poorly
• BZ - 402581 - Deadlock while performing nfs operations.
• BZ - 414131 - Checksum offloading and IP connection tracking don't play well together
• BZ - 424541 - Please build SMBus driver i2c-piix4 as a module in RHEL4.7
• BZ - 424871 - Implement netif_release_rx_bufs for copying receiver
• BZ - 425721 - [QLogic 4.7 bug][3/5] qla4xxx - Targets not seen on first port (5.01.02-d2 --> 5.01.02-d3)
• BZ - 426031 - rapid block device plug / unplug leads to kernel crash and/or soft lockup
• BZ - 426301 - FEAT: RHEL 4.7 Intel Tolapai cpucache patch
• BZ - 426411 - [QLogic 4.7 Bug][5/5] qla2xxx - avoid delay for loop ready when loop dead
• BZ - 426647 - ptrace: PTRACE_SINGLESTEP,signal steps on the 2nd instr.
• BZ - 427204 - RHEL4, make tcp_input_metrics() get minimum RTO via tcp_rto_min()
• BZ - 427544 - Update CIFS to 1.50cRH for 4.7
• BZ - 427799 - [RHEL-4] RFE: Add EDAC driver for Intel 3000/3010 chipsets
• BZ - 428801 - [Areca 4.7 feat] Update the arcmsr driver to 1.20.00.15.RH
• BZ - 428934 - Can not send redirect packet when jiffiess wraparound
• BZ - 428964 - RHEL4.7: HDMI Audio support for AMD ATI chipsets
• BZ - 429103 - Allocations on resume path can cause deadlock due to attempting to swap
• BZ - 429930 - Fake ARP dropped after migration leading to loss of network connectivity
• BZ - 430313 - [QLogic 4.7 bug][4/5] qla4xxx - Race condition fixes w/ constant qla3xxx ifup/ifdown (5.01.02-d3 --> 5.01.02-d4)
• BZ - 430494 - [NetApp-S 4.7 bug] LUN removal status is not updated on the host without a driver reload
• BZ - 430946 - nfs server sending short packets on nfsv2 UDP readdir replies
• BZ - 431081 - [RHEL4.6]: Under load, an i386 PV guest on i386 HV will hang during save/restore
• BZ - 433249 - [EMC 4.7 bug] nfs_access_cache_shrinker() race with umount
• BZ - 433524 - oProfile Driver Module Patch for Family10h
• BZ - 435000 - ptrace: ERESTARTSYS from calling a function from a debugger
• BZ - 435351 - [RHEL4.7]: PV kernel can OOPs during live migrate
• BZ - 435787 - RHEL4.7: USB stress test failure on AMD SBX00
• BZ - 437423 - Add Xen disk and network paravirtualized drivers to bare-metal kernel
• BZ - 437865 - [RHEL 4.6] bonding 802.3ad does not work
• BZ - 438027 - RHEL4.6 Diskdump performance regression (mptfusion)
• BZ - 438115 - Add invocation of weak-modules on kernel install/remove
• BZ - 438688 - 68.25 Kernel rpm installation/uninstallation errors out
• BZ - 438723 - 32bit NFS server returns -EIO for readdirplus request when backing file system has 32bit inodes
• BZ - 438834 - cluster mirrors should not be attempted when cmirror modules are not loaded
• BZ - 438975 - gettimeofday is not monotonically increasing
• BZ - 439109 - [Broadcom 4.7 bug] HT1000 chip based systems getting blacklisted for msi
• BZ - 439539 - RHEL4 kernel ignores extended cpu model field
• BZ - 439540 - oprofile fix to support Penryn-based processors
• BZ - 439926 - do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY
• BZ - 441445 - [QLogic 4.7 feat] Update qla2xxx - qla84xx variant support.
• BZ - 442124 - bonding: incorrect backport creates possible incorrect interface flags
• BZ - 442298 - Memory corruption due to VNIF increase
• BZ - 442538 - kernel panic in gnttab_map when booting RHEL4 x86_64 FV xen guest
• BZ - 442789 - oops in cifs module while trying to stop a thread (kthread_stop) during filesystem mount
• BZ - 443052 - kernel failed to boot and dropped to xmon
• BZ - 443053 - cciss driver crash
• BZ - 443825 - ls shows two /proc/[pid]/limits files for every process
• BZ - 444473 - Fake ARP dropped after migration leading to loss of network connectivity
• BZ - 446409 - RHEL4 U6 hang in epoll_wait
• BZ - 447315 - parted error: Can't open /dev/xvda while probing disks during installation
• BZ - 448641 - [QLogic 4.7 bug] qla2xxx - Update firmware for 4, 8 Gb/S adapters
• BZ - 448934 - Patch for bug 435280 introduces possibility of dead lock
• BZ - 449381 - System hangs when using /proc/sys/vm/drop_caches under heavy load on large system.
• BZ - 450094 - Patch for bug 360281 "Odd behaviour in mmap" introduces regression
• BZ - 450645 - [QLogic 4.7 bug] qla2xxx- several fixes: ioctl module and slab corruption (8.02.09-d0-rhel4.7-04)
• BZ - 450918 - vmware - Console graphic problem when mouse is moved
• BZ - 453419 - CVE-2008-2812 kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code

CVEs

• CVE-2008-2812
• CVE-2006-4145

References

• http://www.redhat.com/security/updates/classification/#moderate