From tabbott at ksplice.com Fri Mar 18 10:42:45 2011 From: tabbott at ksplice.com (Tim Abbott) Date: Fri, 18 Mar 2011 13:42:45 -0400 (EDT) Subject: [Ksplice][VZ4.6-Updates] New updates available via Ksplice (CU-2.6.18-028stab085.2) Message-ID: Synopsis: CU-2.6.18-028stab085.2 can now be patched using Ksplice CVEs: CVE-2010-3296 CVE-2010-3432 CVE-2010-3442 CVE-2010-3699 CVE-2010-3858 CVE-2010-3859 CVE-2010-3865 CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4072 CVE-2010-4073 CVE-2010-4077 CVE-2010-4080 CVE-2010-4081 CVE-2010-4083 CVE-2010-4157 CVE-2010-4158 CVE-2010-4161 CVE-2010-4238 CVE-2010-4242 CVE-2010-4243 CVE-2010-4249 CVE-2010-4258 CVE-2010-4526 CVE-2010-4655 Red Hat Security Advisory Severity: Important Systems running Virtuozzo 4.6 can now use Ksplice to patch against the latest Parallels Virtuozzo Containers 4.6 kernel security update, CU-2.6.18-028stab085.2. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack on Virtuozzo 4.6 install these updates. You can install these updates by running: # /usr/sbin/uptrack-upgrade -y On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any additional action. DESCRIPTION * CVE-2010-3432: Remote denial of service vulnerability in SCTP. The sctp_outq_flush() function can call sctp_packet_reset() on a packet structure that has already been filled with chunks. This resets the packet length but does not remove the chunks from the list; the SCTP code then re-initializes the packet, which because of the incorrect length could overflow the skb, resulting in a kernel panic. * CVE-2010-3442: Heap corruption vulnerability in ALSA core. The snd_ctl_new() function allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. This allows an unprivileged user to write an arbitrary value repeatedly past the bounds of this chunk, resulting in heap corruption. * CVE-2010-3865: Integer overflow in RDS rdma page counting. An integer overflow flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. * CVE-2010-3876: Kernel information leak in packet subsystem. The packet_getname_spkt function doesn't initiatilize all members of a sockaddr struct before copying it to userland, which allows unprivileged users to read uninitialized stack memory. * CVE-2010-4083: Kernel information leak in semctl syscall. The semctl system call allows unprivileged users to read uninitialized kernel stack memory, because various fields of a semid_ds struct declared on the stack are not altered or zeroed before being copied back to the user. * CVE-2010-3699: Denial of service vulnerability in Xen block I/O driver. A flaw was found in the Xenbus code for the unified block-device I/O interface back end. A privileged guest user could use this flaw to cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-3699, Moderate) * CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver. A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4242, Moderate). * CVE-2010-4157: Memory corruption in Intel/ICP RAID driver. An integer overflow in ioc_general() may cause the computation of an incorrect buffer size, leading to memory corruption. * CVE-2010-3880: Logic error in INET_DIAG bytecode auditing. The INET-DIAG subsystem is inconsistent about how it looks up the bytecode contained in a netlink message, making it possible for a user to cause the kernel to execute unaudited INET-DIAG bytecode. This can be abused to make the kernel enter an infinite loop, and possibly other consequences. * CVE-2010-3858: Denial of service vulnerability with large argument lists. Missing sanity checks were found in setup_arg_pages() in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON(), resulting in a local denial of service. (CVE-2010-3858, Moderate). * Mitigate denial of service attacks with large argument lists. This update improves interactivity and makes SIGKILL more effective at responding to issues where an attacker could make a system unresponsive through various attacks involving processes with very large argument lists. * CVE-2010-4161: Deadlock in socket queue subsystem. The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243 introduced a deadlock in the socket queue subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4161, Moderate) * CVE-2010-3859: Heap overflow vulnerability in TIPC protocol. A heap overflow flaw in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3859, Important). * CVE-2010-3296: Kernel information leak in cxgb driver. The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 bytes of uninitialized stack memory, because the "addr" member of the ch_reg struct declared on the stack in cxgb_extension_ioctl() is not altered or zeroed before being copied back to the user. * CVE-2010-3877: Kernel information leak in tipc driver. The get_name function in net/tipc/socket.c did not properly initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. * CVE-2010-4072: Kernel information leak in ipc shm subsystem. Several functions in the System V IPC shared memory subsystem did not properly clear fields before copying data to user space, leaking data from uninitialized kernel stack memory to user space. * CVE-2010-4073: Kernel information leaks in ipc compat subsystem. Several functions in the System V IPC 32-bit compatability subsystem did not properly clear fields before copying data to user space, leaking data from uninitialized kernel stack memory to user space. * Integer overflow in sys_remap_file_pages. The remap_file_pages() system call in fremap.c has an integer overflow bug that is exploitable for denial of service and potentially other consequences. * CVE-2010-4258: Failure to revert address limit override after oops. If a kernel oops occurred with a kernel address limit override in place, the kernel did not properly reset the address limit before writing to a user-controlled address, potentially allowing a local user to escalate a denial-of-service attack into privilege escalation. * CVE-2010-4077: Kernel information leak in nozomi driver. The TIOCGICOUNT device ioctl allows unprivileged users to read uninitialized stack memory, because the "reserved" member of the serial_icounter_struct struct declared on the stack is not altered or zeroed before being copied back to the user. * CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers. The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow unprivileged users to read uninitialized kernel stack memory, because several fields of the hdsp{m}_config_info structs declared on the stack are not altered or zeroed before being copied back to the user. * CVE-2010-4238: Xen host crash with CDROM drives and Xen blkback driver. A missing sanity check was found in vbd_create() in the Xen hypervisor implementation. As CD-ROM drives are not supported by the blkback back-end driver, attempting to use a virtual CD-ROM drive with blkback could trigger a denial of service (crash) on the host system running the Xen hypervisor. (CVE-2010-4238, Moderate) * CVE-2010-4243: Denial of service due to wrong execve memory accounting. A flaw was found in the Linux kernel execve() system call implementation. A local, unprivileged user could cause large amounts of memory to be allocated but not visible to the OOM (Out of Memory) killer, triggering a denial of service. (CVE-2010-4243, Moderate) * CVE-2010-4158: Kernel information leak in socket filters. The sk_run_filter function in the kernel's socket filter implementation did not properly clear an array on the kernel stack, resulting in uninitialized kernel stack memory being copied to user space. * CVE-2010-4526: Remote denial of service vulnerability in SCTP. A flaw was found in the sctp_icmp_proto_unreachable() function in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-4526, Important) * CVE-2010-4655: Information leak in ethtool_get_regs. A missing initialization flaw was found in the ethtool_get_regs() function in the Linux kernel's ethtool IOCTL handler. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause an information leak. (CVE-2010-4655, Low). * CVE-2010-4249: Local denial of service vulnerability in UNIX sockets. A flaw was found in the Linux kernel's garbage collector for AF_UNIX sockets. A local, unprivileged user could use this flaw to trigger a denial of service (out-of-memory condition). (CVE-2010-4249, Moderate). * Panic in kfree() due to race condition in acpi_bus_receive_event. The acpi_bus_receive_event() function left the acpi_bus_event_list unlocked between checking it was empty and extracting its first element to pass to kfree(). * Fix connection timeouts due to shrinking tcp window with window scaling. A problem with the IPV4 tcp window scaling code would, under certain circumstances, incorrectly shrink the TCP window in a way that could result in a constant flood of duplicate ACKs until the connection times out. SUPPORT Ksplice support is available at support at ksplice.com or +1 765-577-5423. From nelhage at ksplice.com Wed Mar 23 14:42:09 2011 From: nelhage at ksplice.com (Nelson Elhage) Date: Wed, 23 Mar 2011 17:42:09 -0400 Subject: [Ksplice][VZ4.6-Updates] New updates available via Ksplice (CU-2.6.18-028stab085.3) Message-ID: <20110323214209.GY27173@ksplice.com> Synopsis: CU-2.6.18-028stab085.3 can now be patched using Ksplice Systems running Virtuozzo 4 or the OpenVZ RHEL 5 kernel can now use Ksplice to patch against the latest Parallels Virtuozzo Containers kernel update, CU-2.6.18028stab085.3. Please note that this update only affects systems running kernel version 2.6.18-028stab085.2. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack on Virtuozzo 4.6 install these updates. You can install these updates by running: # /usr/sbin/uptrack-upgrade -y On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any additional action. DESCRIPTION * Kernel oops when running nfsd. A missing check in atime handling could result in a kernel oops when running an in-kernel NFS server. SUPPORT Ksplice support is available at support at ksplice.com or +1 765-577-5423.