Issued:
2011-02-16
Updated:
2011-02-16

RHSA-2011:0263 - Security Advisory

Synopsis

Important: Red Hat Enterprise Linux 4.9 kernel security and bug fix update

Type/Severity

Security Advisory: Important

Topic

Updated kernel packages that fix three security issues, hundreds of bugs,
and add numerous enhancements are now available as part of the ongoing
support and maintenance of Red Hat Enterprise Linux version 4. This is the
ninth regular update.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

This update fixes the following security issues:

  • A buffer overflow flaw was found in the load_mixer_volumes() function in
    the Linux kernel's Open Sound System (OSS) sound driver. On 64-bit PowerPC
    systems, a local, unprivileged user could use this flaw to cause a denial
    of service or escalate their privileges. (CVE-2010-4527, Important)
  • A missing boundary check was found in the dvb_ca_ioctl() function in the
    Linux kernel's av7110 module. On systems that use old DVB cards that
    require the av7110 module, a local, unprivileged user could use this flaw
    to cause a denial of service or escalate their privileges. (CVE-2011-0521,
    Important)
  • A missing initialization flaw was found in the ethtool_get_regs()
    function in the Linux kernel's ethtool IOCTL handler. A local user who has
    the CAP_NET_ADMIN capability could use this flaw to cause an information
    leak. (CVE-2010-4655, Low)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-4527, and
Kees Cook for reporting CVE-2010-4655.

These updated kernel packages also fix hundreds of bugs and add numerous
enhancements. For details on individual bug fixes and enhancements included
in this update, refer to the Red Hat Enterprise Linux 4.9 Release Notes,
linked to in the References section.

Users should upgrade to these updated packages, which contain backported
patches to correct these issues and add these enhancements. The system must
be rebooted for this update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Affected Products

  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

  • BZ - 176848 - NLM: Fix Oops in nlmclnt_mark_reclaim()
  • BZ - 189918 - kernel: serious ugliness in iget() uses by nfsd [rhel-4.9]
  • BZ - 217829 - Powernow driver does not work properly with different voltage CPUs
  • BZ - 247116 - RFE: Add debug to bonding driver as module option
  • BZ - 396631 - Increase timeout for device connection on boot
  • BZ - 427998 - RHEL4: Can enter no tick idle mode with RCU pending leading to hang
  • BZ - 445957 - Change "decode_getfattr: xdr error %d!" to dprintk
  • BZ - 456047 - Kernel Panic at end_bio_bh_io_sync+44
  • BZ - 456649 - xenbus suspend_mutex remains locked after transaction failure
  • BZ - 457519 - groups_search() cannot handle large gid correctly
  • BZ - 459466 - kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-4.8]
  • BZ - 459499 - proc_loginuid_write() uses simple_strtoul() on non-terminated array
  • BZ - 461038 - el4u5 pv guest user coredump crashing system
  • BZ - 462717 - IPVS wrr scheduler bug
  • BZ - 472752 - BUG() in end_buffer_async_write()
  • BZ - 476700 - Loss of USB HID devices when switching with a KVM
  • BZ - 479090 - Panic in do_cciss_intr removeQ
  • BZ - 479264 - [RHEL4] lost siginfo when a signal queue is full
  • BZ - 480404 - kernel BUG at fs/mpage.c:417!
  • BZ - 480937 - RHEL-4: Deadlock in Xen netfront driver.
  • BZ - 481292 - [RHEL4.7] Original ether's status is keeping PROMISC MULTICAST mode
  • BZ - 481371 - PG_error bit is never cleared, even when a fresh I/O to the page succeeds
  • BZ - 483783 - kernel hid-input.c divide error crash
  • BZ - 484415 - CCISS device-mapper-multipath support: missing sysfs attributes
  • BZ - 485904 - [RHEL4] Netfilter modules unloading hangs
  • BZ - 488931 - ACLs on NFS mounted directories disappear
  • BZ - 490148 - Xen domU, RAID1, LVM, iscsi target export with blockio bug
  • BZ - 491284 - [x86_64]: copy_user_c can zero more data than needed
  • BZ - 492868 - Xen guest kernel advertises absolute mouse pointer feature which it is incapable of setting up correctly
  • BZ - 493780 - EL4U7 kernel bug fix update (Oracle bug 7916406 - JVM process hang)
  • BZ - 494404 - [RHEL4.5] Even if a process have received data but schedule() in select() cannot return
  • BZ - 494688 - e1000e: sporadic hang in netdump
  • BZ - 495858 - show_partition() oops when race with rescan_partitions().
  • BZ - 496201 - [RHEL4] Nscd consumes many cpu resources ( nearly 100% ) continuously.
  • BZ - 496205 - PVFB frontend can send bogus screen updates
  • BZ - 496206 - xenkbd can crash when probe fails
  • BZ - 496209 - PVFB frontend mouse wheel support
  • BZ - 498012 - Bonding driver updelay parameter actual behavior doesn't match documented behavior
  • BZ - 499355 - e1000_clean_tx_irq: Detected Tx Unit Hang
  • BZ - 499548 - kernel: proc: avoid information leaks to non-privileged processes [rhel-4.9]
  • BZ - 499848 - [RHEL4-U8] Kernel - testing NMI watchdog ... CPU#0: NMI appears to be stuck (0)!
  • BZ - 500637 - A bond's preferred primary setting is lost after bringing down and up of the primary slave.
  • BZ - 500889 - Various IPv4/v6 SNMP counter fixes
  • BZ - 500904 - renaming file on a share w/o write permissions causes oops
  • BZ - 501064 - [Stratus 4.9 bug] panic reading /proc/bus/input/devices during input device removal
  • BZ - 501335 - oops in nfs4_put_open_state
  • BZ - 501500 - oops in nfsd_svc after forced unmount of stale nfs4 filesystem and reboot
  • BZ - 501844 - kernel: random: ICE at get_random_int() [rhel-4.3]
  • BZ - 502473 - Failure logging execve with lots of arguments
  • BZ - 502884 - NFSv4 Issue/slowdown when testing against the NetApp server
  • BZ - 503489 - [NetApp 4.8 bug] Issues with "qioctlmod" module on RHEL4.8 hosts with QLogic FC inbox drivers
  • BZ - 503762 - Adding bonding in balance-alb mode to bridge cause network connectivity to be lost [rhel-4.9]
  • BZ - 504080 - MegaRAID SAS 1078 tape I/O errors when using mt erase
  • BZ - 504156 - rtl8139 doesn't work with bonding in alb mode [rhel-4.9]
  • BZ - 504279 - [RHEL 4] Lookups due to infinite loops in posix_locks_deadlock
  • BZ - 504593 - LRO patch to 4.7 breaks SANGOMA WANPIPE drivers build
  • BZ - 504778 - FEAT RHEL4.9: Support new PCI IDS to support VX800 in via82cxxx
  • BZ - 504988 - [RHEL4 Xen]: i386 Guest crash when host has >= 64G RAM
  • BZ - 505081 - [RHEL4.8 Xen]: Xenbus warnings in a FV guest on shutdown
  • BZ - 505122 - Make Aborted Command (internal target failure) retryable at SCSI layer (sense B 44 00)
  • BZ - 505506 - RHEL4.8: crash in do_cciss_request()
  • BZ - 505591 - Bug in lockd prevents a locks being freed.
  • BZ - 506875 - kernel: ptrace: don't use REMOVE_LINKS/SET_LINKS for reparenting [rhel-4.9]
  • BZ - 507527 - NFSD returns NFS4_OK when the owner opens a file with permission set to 000
  • BZ - 507847 - Balloon driver gives up too easily when ballooning up under memory pressure
  • BZ - 507951 - [4.8]Kernel can not increase the counter of Icmp6OutDestUnreachs when forwarding packet with address unreachable.
  • BZ - 509220 - i386 rhel4.8 kvm guests crashes in virtio during installation
  • BZ - 509627 - kernel: fd leak if pipe() is called with an invalid address [rhel-4.9]
  • BZ - 509816 - cciss: spinlock deadlock causes NMI on HP systems
  • BZ - 510184 - NFSD returns NFS4_OK(0) when OPEN with access==read/write on a read-denied/write-denied file
  • BZ - 510395 - num_mtt settings of 2097152 fails in RHEL with infiniband HCA
  • BZ - 510454 - [IPv6] No fragment header in ICMPv6 reply after packet_too_big message
  • BZ - 511183 - kernel: build with -fno-delete-null-pointer-checks [rhel-4.9]
  • BZ - 512641 - kernel: security: implement mmap_min_addr infrastructure [rhel-4.9]
  • BZ - 514684 - NFS: mounted NFSv4/krb5 export inaccessible following an NFS server reboot
  • BZ - 515274 - /proc/net/dev sometimes contains bogus values (BCM5706)
  • BZ - 516076 - netconsole on e1000 cause "Badness in local_bh_enable at kernel/softirq.c:141"
  • BZ - 516742 - CIFS - crash in small_smb_init
  • BZ - 517162 - cthon test5 failing on nfsv4 with rhel6 client vs. rhel4 server
  • BZ - 517329 - [RHEL4.8] igb driver doesn't allocate enough buffer for ethtool_get_strings()
  • BZ - 517523 - get_partstats() returns NULL and causes panic
  • BZ - 520018 - statfs on NFS partition always returns 0
  • BZ - 520299 - kernel: ipv4: make ip_append_data() handle NULL routing table [rhel-4.9]
  • BZ - 522000 - [RFE ] Connlimit kernel module support [rhel-4.9]
  • BZ - 523983 - kernel: ipt_recent: sanity check hit count [rhel-4.9]
  • BZ - 524884 - reading from /proc/net/ip_conntrack returns ENOSPC
  • BZ - 525398 - RHEL4: Unable to write to file as non-root user with setuid and setgid bit set
  • BZ - 525941 - OOM on i686 kernel-smp
  • BZ - 527656 - bnx2x fails when iptables is on
  • BZ - 528066 - [Cisco/LSI 4.9 bug] mptctl module dereferences a userspace address, triggering a crash
  • BZ - 529063 - qla2xxx flash programming changes in 4.8 broke diskdump
  • BZ - 531914 - [4.6] TCP conntrack doesn't handle half-open state connection correctly
  • BZ - 532045 - SCTP Messages out of order
  • BZ - 532593 - Upgrade from RHEL4U7 to U8 fails to bring up networking with forcedeth driver. [simple patch]
  • BZ - 532858 - IBM HS22: SOL drops on bnx2 driver load
  • BZ - 533299 - scsi device add/remove panic at sysfs_hash_and_remove
  • BZ - 537475 - Write barrier operations not working for libata and general SCSI disks
  • BZ - 539506 - [4.7] wait4 blocks on non-existing pid
  • BZ - 541538 - [RHEL4 Xen]: PV guest crash on poweroff
  • BZ - 543823 - [RHEL4]: A new xenfb thread is created on every save/restore
  • BZ - 546251 - [RHEL4.5] select() cannot return in UDP/UNIX domain socket
  • BZ - 546324 - TCP receive window clamping problem
  • BZ - 547213 - ext2online resize hangs
  • BZ - 548496 - [Emulex 4.9 bug] lpfc driver doesn't acquire lock when searching hba for target
  • BZ - 552953 - "forcedeth" driver issue: eth0 fails to get ip address on boot with RHEL4 kernel
  • BZ - 557122 - No output of xmit_hash_policy on IEEE 802.3ad Bonding
  • BZ - 557380 - Kernel panic due to recursive lock in 3c59x driver.
  • BZ - 558607 - e1000e: wol is broken in kernel 2.6.9-89.19
  • BZ - 561108 - platform:ahern:rmmod hangs at 100% cpu removing usbnet module
  • BZ - 562949 - problems with aliased dentries and case-insensitivity in CIFS readdir code
  • BZ - 563920 - Please implement upstream fix for potential filesystem corruption bug
  • BZ - 568271 - [QLogic 4.9 bug] qla2xxx: Fix srb cache destroy issue on driver unload and FDMI registration issue (8.02.10.01.04.09-d)
  • BZ - 569668 - [RHEL4] boot hangs if scsi read capacity fails on faulty non system drive
  • BZ - 577178 - megaraid_sas: fix physical disk handling
  • BZ - 577378 - NFSv3 file attributes are not updated by READDIRPLUS reply
  • BZ - 585430 - Add log message for unhandled sense error REPORTED_LUNS_DATA_CHANGED
  • BZ - 589897 - Lost the network in a KVM VM on top of 4.9
  • BZ - 591938 - cifs: busy file renames across directories should fail with error
  • BZ - 594633 - kernel: security: testing the wrong variable in create_by_name() [rhel-4.9]
  • BZ - 604786 - second cifs mount to samba server fails when samba using security=ADS
  • BZ - 605455 - EXT3-fs error: do_get_write_access: OOM for frozen_buffer
  • BZ - 607261 - Read from /proc/xen/xenbus does not honor O_NONBLOCK
  • BZ - 607533 - Vhost:Fail to transfer file between two guests in same vlan
  • BZ - 610236 - [4u8] Bonding in ALB mode sends ARP in loop
  • BZ - 614559 - sky2 issue with 4.8 kernel
  • BZ - 620485 - system crashes due to corrupt net_device_wrapper structure
  • BZ - 621209 - [4u9] bonding: fix a race condition in calls to slave MII ioctls
  • BZ - 623265 - bnx2: panic in bnx2_poll_work()
  • BZ - 624117 - recording fails when usb audio device is connected to EHCI controller (ehci_hcd)
  • BZ - 624713 - [RHEL4] Problems with aacraid - File system going into read-only.
  • BZ - 629143 - Assertion failure in ext3_put_super() at fs/ext3/super.c:426: "list_empty(&sbi->s_orphan)"
  • BZ - 630564 - kernel: additional stack guard patches [rhel-4.9]
  • BZ - 634632 - nfs4_reclaim_open_state: unhandled error -5. Zeroing state
  • BZ - 637556 - Bonded interface doesn't issue IGMP report (join) on slave interface during failover
  • BZ - 637658 - [RHEL 4.8] 32-bit pvhvm guest on 64-bit host crash w/xm mem-set
  • BZ - 640803 - [RHEL4.8.z] soft lockup on vlan with bonding in balance-alb mode
  • BZ - 641112 - bonding does not switch to slave
  • BZ - 643992 - Kernel maintainer's bz for spec file changes
  • BZ - 645220 - [RFE] kernel: modules: sysctl to block module loading [rhel-4.9]
  • BZ - 645633 - temporary loss of path to SAN results in persistent EIO with msync
  • BZ - 647187 - [netfront] ethtool -i should return proper information for netfront device
  • BZ - 647196 - RFE: Virtio nic should support "ethtool -i virtio nic"
  • BZ - 651334 - RHEL4.9: EHCI: AMD periodic frame list table quirk
  • BZ - 653252 - kernel: restrict unprivileged access to kernel syslog [rhel-4.9]
  • BZ - 653505 - [4.9 Regression] network is lost after balloon-up fails
  • BZ - 658824 - The USB storage cannot use >2TB.
  • BZ - 662839 - [REG][4.9] Filesystem corruption happens on ext2 filesystem
  • BZ - 667615 - CVE-2010-4527 kernel: buffer overflow in OSS load_mixer_volumes
  • BZ - 672398 - CVE-2011-0521 kernel: av7110 negative array offset
  • BZ - 672428 - CVE-2010-4655 kernel: heap contents leak for CAP_NET_ADMIN via ethtool ioctl

CVEs

References

Red Hat Enterprise Linux Server 4

SRPM
x86_64
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
ia64
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
i386
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591

Red Hat Enterprise Linux Workstation 4

SRPM
x86_64
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
ia64
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
i386
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591

Red Hat Enterprise Linux Desktop 4

SRPM
x86_64
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
i386
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
s390x
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591
s390
kernel-2.6.9-100.EL.s390.rpm SHA-256: 73586356c8b37dd1e8afda47ef08a235a17b141cd17f7c7340ad6a0447d32fa3
kernel-devel-2.6.9-100.EL.s390.rpm SHA-256: a98e37f5ba4e4d028b4ba70aef0ba944033885585fdc37f4cb9a02c3336ef827
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591

Red Hat Enterprise Linux for Power, big endian 4

SRPM
ppc
kernel-doc-2.6.9-100.EL.noarch.rpm SHA-256: b48dac9f6177acf53497345e309e91d6945de95889faed7b28a3367fef2fc591

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.