[Ksplice][Virtuozzo 4 Updates] New updates available via Ksplice (CU-2.6.18-028stab068.9)
Greg Price
price at ksplice.com
Thu Apr 1 22:13:57 PDT 2010
Synopsis: CU-2.6.18-028stab068.9 can now be patched using Ksplice
CVEs: CVE-2009-4308 CVE-2010-0007 CVE-2010-0415 CVE-2010-0437
Red Hat Security Advisory Severity: Important
Systems running Virtuozzo 4 or the OpenVZ RHEL 5 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers kernel
security update, CU-2.6.18-028stab068.9.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Virtuozzo 4 or
OpenVZ on RHEL 5 install these updates. You can install these updates
by running:
# uptrack-upgrade -y
DESCRIPTION
* Kernel crash forwarding network traffic.
A programming error in the Generic Receive Offload implementation in
the Linux kernel could generate invalid packet structures with certain
network cards, resulting in a kernel crash (BUG) if those packets are
then forwarded to another network interface.
* Filesystem corruption on ext3 over NFS.
A flaw in the core filesystem code of the Linux kernel could lead to
filesystem corruption when a new inode is created, particularly in an
ext3 filesystem mounted over NFS.
* CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
A NULL pointer dereference flaw was found in the ip6_dst_lookup_tail()
function in the Linux kernel. An attacker on the local network could
trigger this flaw by sending IPv6 traffic to a target system, leading
to a system crash (kernel OOPS) if dst->neighbour is NULL on the
target system when receiving an IPv6 packet. (CVE-2010-0437,
Important)
* CVE-2010-0007: Missing capabilities check in ebtables module.
The ebtables module in the netfilter framework in the Linux kernel did
not require the CAP_NET_ADMIN capability for setting or modifying
rules, which allows local users to bypass intended access restrictions
and configure arbitrary network-traffic filtering via a modified
ebtables application. (CVE-2010-0007, Low)
* CVE-2010-0415: Information leak in sys_move_pages
A missing boundary check was found in the do_move_pages() function in
the memory migration functionality in the Linux kernel. A local user
could use this flaw to cause a local denial of service or an
information leak. (CVE-2010-0415, Important)
* CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
The ext4_decode_error function in fs/ext4/super.c in the ext4
filesystem in the Linux kernel before 2.6.32 allows user-assisted
remote attackers to cause a denial of service (NULL pointer
dereference), and possibly have unspecified other impact, via a
crafted read-only filesystem that lacks a journal. (CVE-2009-4308,
Moderate)
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ksplice-VZ4-Updates
mailing list