[Ksplice][Virtuozzo 3 Updates] New updates available via Ksplice (CU-2.6.9-023stab053.2)
Nelson Elhage
nelhage at ksplice.com
Fri Nov 5 13:59:46 PDT 2010
Synopsis: CU-2.6.9-023stab053.2 can now be patched using Ksplice
CVEs: CVE-2009-3726 CVE-2010-1083 CVE-2010-1085 CVE-2010-1086 CVE-2010-1188
CVE-2010-1437 CVE-2010-2240 CVE-2010-2248 CVE-2010-2521 CVE-2010-2942
CVE-2010-3067 CVE-2010-3081 CVE-2010-3477
Red Hat Security Advisory Severity: Important
Systems running Virtuozzo 3 can now use Ksplice to patch against the
latest Parallels Virtuozzo Containers kernel security update,
CU-2.6.9-023stab053.2.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Virtuozzo 3 install
these updates. You can install these updates by running:
# uptrack-upgrade -y
DESCRIPTION
* CVE-2010-1085: Divide-by-zero in Intel HDA driver.
A divide-by-zero flaw was found in azx_position_ok() in the Intel High
Definition Audio driver, snd-hda-intel. A local, unprivileged user
could trigger this flaw to cause a denial of service. (CVE-2010-1085,
Moderate)
* CVE-2010-1086: Infinite loop in ULE implementation.
A flaw was found in the kernel's Unidirectional Lightweight
Encapsulation (ULE) implementation. A remote attacker could send a
specially-crafted ISO MPEG-2 Transport Stream (TS) frame to a target
system, resulting in a denial of service. (CVE-2010-1086, Important)
* CVE-2010-1083: Information leak in USB implementation.
An information leak flaw was found in the kernel's USB implementation.
Certain USB errors could result in an uninitialized kernel buffer
being sent to user-space. An attacker with physical access to a target
system could use this flaw to cause an information
leak. (CVE-2010-1083, Low)
* CVE-2010-1188: Denial of service in tcp_rcv_state_process.
A use-after-free flaw was found in tcp_rcv_state_process() in the
kernel's TCP/IP protocol suite implementation. If a system using IPv6
had the IPV6_RECVPKTINFO option set on a listening socket, a remote
attacker could send an IPv6 packet to that system, causing a kernel
panic. (CVE-2010-1188, Important)
* Kernel panic in NFS communicating with rebooted NFS server.
In some circumstances, when a Red Hat Enterprise Linux client
connected to a re-booted Windows-based NFS server, server-side
filehandle-to-inode mapping changes caused a kernel panic.
* CVE-2010-1437: Privilege escalation in kernel key management.
A race condition between finding a keyring by name and destroying a
freed keyring was found in the Linux kernel key management facility. A
local, unprivileged user could use this flaw to cause a kernel panic
(denial of service) or escalate their privileges.
* CVE-2009-3726: NULL pointer dereference in NFSv4.
A NULL pointer dereference flaw was found in the Linux kernel NFSv4
implementation. Several of the NFSv4 file locking functions failed to
check whether a file had been opened on the server before performing
locking operations on it. A local, unprivileged user on a system with
an NFSv4 share mounted could possibly use this flaw to cause a kernel
panic (denial of service) or escalate their privileges.
* CVE-2010-2248: Remote denial of service in CIFS client.
A flaw was found in the CIFSSMBWrite() function in the Linux kernel
Common Internet File System (CIFS) implementation. A remote attacker
could send a specially-crafted SMB response packet to a target CIFS
client, resulting in a kernel panic. (CVE-2010-2248, Important).
* Kernel panic caused by incorrect reference counting in NFS server.
The rpc_call_async() function in the SUN Remote Procedure Call (RPC)
subsystem in the Linux kernel had a reference counting bug. In certain
situations, some Network Lock Manager (NLM) messages may have
triggered this bug on NFSv2 and NFSv3 servers, leading to a kernel
panic (with "kernel BUG at fs/lockd/host.c:[xxx]!" logged to
"/var/log/messages").
* CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Buffer overflow flaws were found in the Linux kernel's implementation
of the server-side External Data Representation (XDR) for the Network
File System (NFS) version 4. An attacker on the local network could
send a specially-crafted large compound request to the NFSv4 server,
which could possibly result in a kernel panic (denial of service) or,
potentially, code execution. (CVE-2010-2521, Important).
* CVE-2010-2240: Privilege escalation vulnerability in memory management.
When an application has a stack overflow, the stack could silently overwrite
another memory mapped area instead of a segmentation fault occurring, which
could cause an application to execute arbitrary code, possibly leading to
privilege escalation. It is known that the X Window System server can be used to
trigger this flaw. (CVE-2010-2240, Important)
* CVE-2010-3081: Privilege escalation through stack underflow in compat.
A flaw was found in the 32-bit compatibility layer for 64-bit systems.
User-space memory was allocated insecurely when translating system
call inputs to 64-bit. A stack pointer underflow could occur when
using the "compat_alloc_user_space" method with an arbitrary length
input, as in getsockopt.
* CVE-2010-3477: Kernel information leak in act_police.
Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of kernel memory to userspace applications.
This is a similar issue to CVE-2010-2942.
* CVE-2010-2942: Information leaks in traffic control dump structures.
Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of 32 bits of kernel memory to userspace
applications.
* CVE-2010-3067: Information leak in do_io_submit()
An integer overflow error in the do_io_submit function could be used by
userspace processes to read kernel memory.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the VZ3-Updates
mailing list