[El-errata] ELSA-2010-2011 Important: Oracle Linux 5 unbreakable enterprise kernel security and bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Dec 15 10:33:43 PST 2010 

Oracle Linux Security Advisory ELSA-2010-2011

The following updated rpms for Oracle Linux 5 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
kernel-2.6.32-100.24.1.el5.x86_64.rpm
kernel-firmware-2.6.32-100.24.1.el5.x86_64.rpm
kernel-debug-2.6.32-100.24.1.el5.x86_64.rpm
kernel-debug-devel-2.6.32-100.24.1.el5.x86_64.rpm
kernel-devel-2.6.32-100.24.1.el5.x86_64.rpm
kernel-doc-2.6.32-100.24.1.el5.noarch.rpm
kernel-headers-2.6.32-100.24.1.el5.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol5/SRPMS-updates/kernel-2.6.32-100.24.1.el5.src.rpm


The following packages were rebuilt to be in sync with the updated 
kernel version (no changes other than updating the version number):

x86_64:
ofa-2.6.32-100.24.1.el5-1.5.1-4.0.23.x86_64.rpm
ofa-2.6.32-100.24.1.el5debug-1.5.1-4.0.23.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol5/SRPMS-updates/ofa-2.6.32-100.24.1.el5-1.5.1-4.0.23.src.rpm


Description of changes:

Following Security fixes are included in this unbreakable enterprise 
kernel errata:

CVE-2010-3432 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3432>
The sctp_packet_config function in net/sctp/output.c in the Linux kernel 
before 2.6.35.6 performs extraneous initializations of packet data 
structures, which allows remote attackers to cause a denial of service 
(panic) via a certain sequence of SCTP traffic.
CVE-2010-2962 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962>
drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) 
in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem 
in the Linux kernel before 2.6.36 does not properly validate pointers to 
blocks of memory, which allows local users to write to arbitrary kernel 
memory locations, and consequently gain privileges, via crafted use of 
the ioctl interface, related to (1) pwrite and (2) pread operations.
CVE-2010-2955 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2955>
The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the 
Linux kernel before 2.6.36-rc3-next-20100831 does not properly 
initialize certain structure members, which allows local users to 
leverage an off-by-one error in the ioctl_standard_iw_point function in 
net/wireless/wext-core.c, and obtain potentially sensitive information 
from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl 
call that specifies a large buffer size.
CVE-2010-3705 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3705>
The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux 
kernel before 2.6.36 does not properly validate the hmac_ids array of an 
SCTP peer, which allows remote attackers to cause a denial of service 
(memory corruption and panic) via a crafted value in the last element of 
this array.
CVE-2010-3084 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3084>
Buffer overflow in the niu_get_ethtool_tcam_all function in 
drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local 
users to cause a denial of service or possibly have unspecified other 
impact via the ETHTOOL_GRXCLSRLALL ethtool command.
CVE-2010-3437 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3437>
Integer signedness error in the pkt_find_dev_from_minor function in 
drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows 
local users to obtain sensitive information from kernel memory or cause 
a denial of service (invalid pointer dereference and system crash) via a 
crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.
CVE-2010-3079 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3079>
kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs 
is enabled, does not properly handle interaction between mutex 
possession and llseek operations, which allows local users to cause a 
denial of service (NULL pointer dereference and outage of all function 
tracing files) via an lseek call on a file descriptor associated with 
the set_ftrace_filter file.
CVE-2010-3698 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3698>
The KVM implementation in the Linux kernel before 2.6.36 does not 
properly reload the FS and GS segment registers, which allows host OS 
users to cause a denial of service (host OS crash) via a KVM_RUN ioctl 
call in conjunction with a modified Local Descriptor Table (LDT).
CVE-2010-3442 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3442>
Multiple integer overflows in the snd_ctl_new function in 
sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 
allow local users to cause a denial of service (heap memory corruption) 
or possibly have unspecified other impact via a crafted (1) 
SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.


[2.6.32-100.24.1.el5]
- [sctp] Do not reset the packet during sctp_packet_con[CVE-2010-3432]
- [drm/i915] Sanity check pread/pwrite [CVE-2010-2962]
- [wireless] fix kernel heap content leak [CVE-2010-2955]
- [sctp] Fix out-of-bounds reading in sctp_asoc_get_hmac() [CVE-2010-3705]
- [niu] Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL [CVE-2010-3084]
- Fix pktcdvd ioctl dev_minor range check [CVE-2010-3437]
- Do not allow llseek to set_ftrace_filter [CVE-2010-3079]
- [kvm] Fix fs/gs reload oops with invalid ldt [CVE-2010-3698]
- [alsa] prevent heap corruption in snd_ctl_new() [CVE-2010-3442]
- Fix LACP bonding mode (Tina Yang)
- Fix grat arps on bonded interfaces (Tina Yang)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.oracle.com/pipermail/el-errata/attachments/20101215/877a97aa/attachment.html

More information about the El-errata mailing list