[Ksplice][RHEL 5 Updates] New updates available via Ksplice (RHSA-2011-1386)

Tue Oct 25 18:39:37 PDT 2011

Synopsis: RHSA-2011-1386 can now be patched using Ksplice
CVEs: CVE-2009-4067 CVE-2011-1160 CVE-2011-1585 CVE-2011-1833 
CVE-2011-2484 CVE-2011-2496 CVE-2011-2695 CVE-2011-2699 CVE-2011-2723 
CVE-2011-2942 CVE-2011-3188 CVE-2011-3191 CVE-2011-3209
Red Hat Security Advisory Severity: Important

Systems running Red Hat Enterprise Linux 5, CentOS 5, Scientific Linux
5, and CentOSPlus 5 can now use Ksplice to patch against the latest
Red Hat Security Advisory, RHSA-2011-1386.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on RHEL 5, CentOS 5,
Scientific Linux 5, and CentOSPlus 5 install these updates.  You can
install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

DESCRIPTION

* CVE-2011-1160: Information leak in tpm driver.

A buffer was not initialized before being returned to userspace,
leading to a leak of potentially sensitive kernel memory.

* CVE-2011-1585: Authentication bypass in CIFS.

Jeff Layton reported an issue in the Common Internet File System (CIFS).
Local users can bypass authentication requirements for shares that are
already mounted by another user.

* CVE-2011-2484: Denial of service in taskstats subsystem.

The add_del_listener function in kernel/taskstats.c in the Linux kernel
did not prevent multiple registrations of exit handlers, which allowed
local users to cause a denial of service (memory and CPU consumption),
and bypass the OOM Killer, via a crafted application.

* CVE-2011-2496: Local denial of service in mremap().

Robert Swiecki discovered that mremap() could be abused for local denial of
service by triggering a BUG_ON assert.

* CVE-2009-4067: Buffer overflow in Auerswald usb driver.

A buffer overflow flaw was found in the Linux kernel's Auerswald
PBX/System Telephone usb driver implementation.

* CVE-2011-2695: Off-by-one errors in the ext4 filesystem.

Multiple off-by-one errors in the ext4 subsystem in the Linux kernel
before 3.0-rc5 allow local users to cause a denial of service (BUG_ON
and system crash) by accessing a sparse file in extent format with a
write operation involving a block number corresponding to the largest
possible 32-bit unsigned integer.

* CVE-2011-2699: Predictable IPv6 fragment identification numbers.

The generator for IPv6 fragment identification numbers used a single
generator and thus was highly predictable and thus vulnerable to a
denial of service attack.

* CVE-2011-2723: Remote denial of service vulnerability in gro.

The skb_gro_header_slow function in the Linux kernel had a bug which
allowed a remote attacker to put certain gro fields in an inconsistent
state, resulting in a denial of service.

* CVE-2011-2942: Regression in bridged ethernet devices.

RHSA-2011:1065 introduced a regression in the Ethernet bridge
implementation. If a system had an interface in a bridge, and an
attacker on the local network could send packets to that interface,
they could cause a denial of service on that system. Xen hypervisor
and KVM (Kernel-based Virtual Machine) hosts often deploy bridge
interfaces. (CVE-2011-2942, Moderate)

* CVE-2011-1833: Information disclosure in eCryptfs.

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs
incorrectly validated permissions on the requested source directory. A
local attacker could use this flaw to mount an arbitrary directory,
possibly leading to information disclosure.

* CVE-2011-3191: Memory corruption in CIFSFindNext.

Darren Lavender reported an issue in the Common Internet File System
(CIFS). A malicious file server could cause memory corruption leading
to a denial of service.

* CVE-2011-3209: Denial of Service in clock implementation.

A flaw in the kernel's clock implementation could allow a local,
unprivileged user to cause a denial of service. (CVE-2011-3209,
Moderate)

* CVE-2011-3188: Weak TCP sequence number generation.

Dan Kaminsky reported a weakness of the sequence number generation in
the TCP protocol implementation. This can be used by remote attackers
to inject packets into an active session.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.