[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2011-1138)
Keegan McAllister
keegan at ksplice.com
Fri Feb 11 13:43:40 PST 2011
Synopsis: FEDORA-2011-1138 can now be patched using Ksplice
CVEs: CVE-2010-3875 CVE-2010-3876 CVE-2010-4165 CVE-2010-4249
CVE-2010-4346 CVE-2010-4648 CVE-2010-4649 CVE-2010-4650 CVE-2010-4668
CVE-2011-0006 CVE-2011-0521
Systems running Fedora 14 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-1138.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Fedora 14 users install these
updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.
DESCRIPTION
* CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY.
The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined
length larger than the maximum FUSE request size.
* Use-after-free bug in sunrpc xprt.
A race condition in the sunrpc protocol implementation can cause the kernel to
process garbage data.
* CVE-2010-4649: Buffer overflow in InfiniBand uverb handling.
Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem. A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.
* CVE-2010-4165: Denial of service in TCP from user MSS.
A user program could cause a division by 0 in tcp_select_initial_window by
passing in an invalid TCP_MAXSEG, leading to a kernel oops.
* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.
A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition).
* CVE-2010-3875: Information leak in AX.25 protocol.
The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.
* CVE-2010-3876: Kernel information leak in packet subsystem.
The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows unprivileged
users to read uninitialized stack memory.
* Reference count leak in inotify failure path.
The inotify subsystem can leak a reference count when it fails to create a new
special file. An unprivileged process can force this failure by setting the
RLIMIT_NOFILE resource limit. This could lead to denial of service
(out-of-memory condition) or a refcount overflow and subsequent use-after-free.
* CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.
The driver for Orinoco wireless cards fails to respond effectively to certain
attacks on WPA encryption.
* Data corruption on RAID recovery to hot-added device.
Linux software RAID arrays (md subsystem) with v1.x metadata can forget the
state of partial recovery onto a hot-added storage device, erroneously treating
the device as fully recovered. This could lead to data corruption.
* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Tavis Ormandy discovered an issue in the install_special_mapping
routine which allows local users to bypass the mmap_min_addr security
restriction. Combined with an otherwise low severity local denial of
service vulnerability (NULL pointer dereference), a local user could
obtain elevated privileges.
* CVE-2011-0006: Unhandled error condition when adding security rules.
When a security rule is added on a system with a disabled Linux Security
Module, the kernel fails to detect an error condition, causing default security
rules to be disabled.
* Remote denial of service in 802.11 mesh networking drivers.
Under low-memory conditions, forwarding an 802.11 mesh networking packet can
cause a NULL pointer dereference.
* Denial of service in 802.11 transmit buffer handling.
The transmit buffer code in the mac80211 subsystem fails to handle shared
buffers correctly, resulting in a BUG or other kernel misbehavior.
* File size corruption in btrfs.
A logic error in the btrfs filesystem implementation can cause a file to be
written with the wrong size, introducing trailing garbage data or possibly
other corruption.
* CVE-2010-4668: Kernel panic in block subsystem.
By submitting certain I/O requests with 0 length, a local user could cause
a denial of service (kernel panic).
* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.
Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local
users can pass a negative info->num value, corrupting kernel memory and
causing a denial of service.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Fedora-14-Updates
mailing list