[Ksplice][Virtuozzo 4 Updates] New updates available via Ksplice (OpenVZ 2.6.18-238.5.1.el5.028stab085.2)
Tim Abbott
tabbott at ksplice.com
Fri Mar 18 10:45:04 PDT 2011
Synopsis: OpenVZ 2.6.18-238.5.1.el5.028stab085.2 can now be patched using Ksplice
CVEs: CVE-2010-3296 CVE-2010-3432 CVE-2010-3442 CVE-2010-3699 CVE-2010-3858 CVE-2010-3859 CVE-2010-3865 CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4072 CVE-2010-4073 CVE-2010-4077 CVE-2010-4080 CVE-2010-4081 CVE-2010-4083 CVE-2010-4157 CVE-2010-4158 CVE-2010-4161 CVE-2010-4238 CVE-2010-4242 CVE-2010-4243 CVE-2010-4249 CVE-2010-4258 CVE-2010-4526 CVE-2010-4655
Red Hat Security Advisory Severity: Important
Systems running the OpenVZ RHEL 5 kernel can now use Ksplice to patch
against the latest Parallels Virtuozzo Containers 4.6 kernel update,
CU-2.6.18-028stab085.2.
This update is not yet available for systems running Parallels Virtuozzo
Containers 4.0, since Parallels has not yet released a version of this
kernel for that product.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Virtuozzo 4.6 install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* CVE-2010-3432: Remote denial of service vulnerability in SCTP.
The sctp_outq_flush() function can call sctp_packet_reset() on a packet
structure that has already been filled with chunks. This resets the
packet length but does not remove the chunks from the list; the SCTP code
then re-initializes the packet, which because of the incorrect length
could overflow the skb, resulting in a kernel panic.
* CVE-2010-3442: Heap corruption vulnerability in ALSA core.
The snd_ctl_new() function allocates space for a snd_kcontrol struct by
performing arithmetic operations on a user-provided size without checking
for integer overflow. This allows an unprivileged user to write an
arbitrary value repeatedly past the bounds of this chunk, resulting in
heap corruption.
* CVE-2010-3865: Integer overflow in RDS rdma page counting.
An integer overflow flaw was found in the Linux kernel's Reliable Datagram
Sockets (RDS) protocol implementation. A local, unprivileged user could
use this flaw to cause a denial of service or escalate their privileges.
* CVE-2010-3876: Kernel information leak in packet subsystem.
The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows unprivileged
users to read uninitialized stack memory.
* CVE-2010-4083: Kernel information leak in semctl syscall.
The semctl system call allows unprivileged users to read uninitialized
kernel stack memory, because various fields of a semid_ds struct declared
on the stack are not altered or zeroed before being copied back to the
user.
* CVE-2010-3699: Denial of service vulnerability in Xen block I/O driver.
A flaw was found in the Xenbus code for the unified block-device I/O
interface back end. A privileged guest user could use this flaw to cause
a denial of service on the host system running the Xen hypervisor.
(CVE-2010-3699, Moderate)
* CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver
in the Linux kernel. A local, unprivileged user could use this flaw to
cause a denial of service. (CVE-2010-4242, Moderate).
* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.
* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
The INET-DIAG subsystem is inconsistent about how it looks up the bytecode
contained in a netlink message, making it possible for a user to cause the
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make
the kernel enter an infinite loop, and possibly other consequences.
* CVE-2010-3858: Denial of service vulnerability with large argument lists.
Missing sanity checks were found in setup_arg_pages() in the Linux kernel.
When making the size of the argument and environment area on the stack
very large, it could trigger a BUG_ON(), resulting in a local denial of
service. (CVE-2010-3858, Moderate).
* Mitigate denial of service attacks with large argument lists.
This update improves interactivity and makes SIGKILL more effective at
responding to issues where an attacker could make a system unresponsive
through various attacks involving processes with very large argument
lists.
* CVE-2010-4161: Deadlock in socket queue subsystem.
The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243
introduced a deadlock in the socket queue subsystem. A local,
unprivileged user could use this flaw to cause a denial of service.
(CVE-2010-4161, Moderate)
* CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
A heap overflow flaw in the Linux kernel's Transparent Inter-Process
Communication protocol (TIPC) implementation could allow a local,
unprivileged user to escalate their privileges. (CVE-2010-3859,
Important).
* CVE-2010-3296: Kernel information leak in cxgb driver.
The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4
bytes of uninitialized stack memory, because the "addr" member of the
ch_reg struct declared on the stack in cxgb_extension_ioctl() is not
altered or zeroed before being copied back to the user.
* CVE-2010-3877: Kernel information leak in tipc driver.
The get_name function in net/tipc/socket.c did not properly initialize a
certain structure, which allows local users to obtain potentially
sensitive information from kernel stack memory by reading a copy of this
structure.
* CVE-2010-4072: Kernel information leak in ipc shm subsystem.
Several functions in the System V IPC shared memory subsystem did not
properly clear fields before copying data to user space, leaking data from
uninitialized kernel stack memory to user space.
* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Several functions in the System V IPC 32-bit compatability subsystem did
not properly clear fields before copying data to user space, leaking data
from uninitialized kernel stack memory to user space.
* Integer overflow in sys_remap_file_pages.
The remap_file_pages() system call in fremap.c has an integer overflow bug
that is exploitable for denial of service and potentially other
consequences.
* CVE-2010-4258: Failure to revert address limit override after oops.
If a kernel oops occurred with a kernel address limit override in place,
the kernel did not properly reset the address limit before writing to a
user-controlled address, potentially allowing a local user to escalate a
denial-of-service attack into privilege escalation.
* CVE-2010-4077: Kernel information leak in nozomi driver.
The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack is not altered or
zeroed before being copied back to the user.
* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
ioctls in hdspm.c and hdsp.c allow unprivileged users to read
uninitialized kernel stack memory, because several fields of the
hdsp{m}_config_info structs declared on the stack are not altered or
zeroed before being copied back to the user.
* CVE-2010-4238: Xen host crash with CDROM drives and Xen blkback driver.
A missing sanity check was found in vbd_create() in the Xen hypervisor
implementation. As CD-ROM drives are not supported by the blkback
back-end driver, attempting to use a virtual CD-ROM drive with blkback
could trigger a denial of service (crash) on the host system running the
Xen hypervisor. (CVE-2010-4238, Moderate)
* CVE-2010-4243: Denial of service due to wrong execve memory accounting.
A flaw was found in the Linux kernel execve() system call implementation.
A local, unprivileged user could cause large amounts of memory to be
allocated but not visible to the OOM (Out of Memory) killer, triggering a
denial of service. (CVE-2010-4243, Moderate)
* CVE-2010-4158: Kernel information leak in socket filters.
The sk_run_filter function in the kernel's socket filter implementation
did not properly clear an array on the kernel stack, resulting in
uninitialized kernel stack memory being copied to user space.
* CVE-2010-4526: Remote denial of service vulnerability in SCTP.
A flaw was found in the sctp_icmp_proto_unreachable() function in the
Linux kernel's Stream Control Transmission Protocol (SCTP) implementation.
A remote attacker could use this flaw to cause a denial of service.
(CVE-2010-4526, Important)
* CVE-2010-4655: Information leak in ethtool_get_regs.
A missing initialization flaw was found in the ethtool_get_regs() function
in the Linux kernel's ethtool IOCTL handler. A local user who has the
CAP_NET_ADMIN capability could use this flaw to cause an information leak.
(CVE-2010-4655, Low).
* CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition). (CVE-2010-4249, Moderate).
* Panic in kfree() due to race condition in acpi_bus_receive_event.
The acpi_bus_receive_event() function left the acpi_bus_event_list
unlocked between checking it was empty and extracting its first element to
pass to kfree().
* Fix connection timeouts due to shrinking tcp window with window scaling.
A problem with the IPV4 tcp window scaling code would, under certain
circumstances, incorrectly shrink the TCP window in a way that could
result in a constant flood of duplicate ACKs until the connection times
out.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ksplice-VZ4-Updates
mailing list