[Ksplice][Virtuozzo 4 Updates] New updates available via Ksplice (CU-2.6.18-028stab067.4)

Fri Jan 29 11:38:25 PST 2010

Synopsis: CU-2.6.18-028stab067.4 can now be patched using Ksplice
CVEs: CVE-2007-4567 CVE-2009-3228 CVE-2009-3286 CVE-2009-3612
      CVE-2009-3613 CVE-2009-3620 CVE-2009-3726 CVE-2009-4272
      CVE-2009-4536 CVE-2009-4537 CVE-2009-4538
Red Hat Security Advisory Severity: Important

Systems running Virtuozzo 4 or the OpenVZ RHEL 5 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers kernel
security update, CU-2.6.18-028stab066.7.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack RHEL 5 and CentOS 5 users
install these updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2009-4537: Buffer underflow in r8169 driver.

The r8169 driver did not correctly handle certain large packets, which
could potentially be exploited to lead to remote arbitrary code
execution.

* CVE-2009-4536: Denial of service in e1000 driver.

The e1000 driver did not properly handle packets which span multiple
receive buffers, which could be potentially be exploited by a remote
attacker to lead to memory corruption and denial of service.

* CVE-2009-4538: Denial of service in e1000e driver.

The e1000e driver did not properly handle packets which span multiple
receive buffers, which could be potentially be exploited by a remote
attacker to lead to memory corruption and denial of service.

* CVE-2007-4567: Remote denial of service in IPv6

The Linux kernel did not properly validate the hop-by-hop IPv6
extended header, which allowed remote attackers to cause a denial of
service (kernel panic) via a crafted IPv6 packet.

* CVE-2009-3612: Information leak in the netlink subsystem.

The tcf_fill_node function in net/sched/cls_api.c in the netlink
subsystem does not initialize a certain tcm__pad2 structure member,
which might allow local users to obtain sensitive information from
kernel memory.  NOTE: this issue exists because of a typo in the fix
for CVE-2005-4881.

* CVE-2009-3726: NFSv4: Denial of Service in NFS client.

A programming error in the Linux NFSv4 client could allow a buggy or
malicious NFS server to cause a denial of service (kernel panic) in
the client.

* CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.

The ATI Rage 128 (aka r128) driver in the Linux kernel does not
properly verify Concurrent Command Engine (CCE) state initialization,
which allows local users to cause a denial of service or privilege
escalation.

* CVE-2009-3613: Remote denial of service in r8169 driver.

A programming error in the r8169 driver could result in the Linux
kernel leaking PCI device resources, leading to a denial of service
attack.

* ipv4: make ip_append_data() handle NULL routing table.

A check has been added to the IPv4 code to make sure that the routing
table data structure, rt, is not NULL, to help prevent future bugs in
functions that call ip_append_data() from being exploitable.

* CVE-2009-3286: Incorrect permissions check in NFSv4.

Linux's NFSv4 server implementation sometimes performs an unnecessary
permission check after creating a file. This check can fail, leaving
the file with the permission bits set to random values. This could
potentially by exploited by clients to gain inappropriate
access. (CVE-2009-3286, Important)

* CVE-2009-3228: Information leak in the networking subsystem.

Padding data in a core network structure was not initialized properly
before being sent to user-space.  These flaws could lead to
information leaks.

* CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.

The Parallels Virtuozzo Containers team reported that the
RHSA-2009:1243 update introduced two flaws in the routing
implementation.  If an attacker was able to cause a large enough
number of collisions in the routing hash table (via specially-crafted
packets) for the emergency route flush to trigger, a deadlock could
occur.  Secondly, if the kernel routing cache was disabled, an
uninitialized pointer would be left behind after a route lookup,
leading to a kernel panic. (CVE-2009-4272, Important).

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.