[Oraclevm-errata] OVMSA-2009-0014 Important: Oracle VM 2.1 kernel security fix update

Mon Jul 6 10:41:39 PDT 2009

Oracle VM Security Advisory OVMSA-2009-0014

The following updated rpms for Oracle VM 2.1 have been uploaded to the 
Unbreakable Linux Network:

i386:
kernel-BOOT-devel-2.6.18-8.1.15.4.1.el5.i686.rpm
kernel-BOOT-2.6.18-8.1.15.4.1.el5.i686.rpm
kernel-kdump-2.6.18-8.1.15.4.1.el5.i686.rpm
kernel-kdump-devel-2.6.18-8.1.15.4.1.el5.i686.rpm
kernel-ovs-2.6.18-8.1.15.4.1.el5.i686.rpm
kernel-ovs-devel-2.6.18-8.1.15.4.1.el5.i686.rpm

SRPMS:
http://oss.oracle.com/oraclevm/server/SRPMS-updates/kernel-2.6.18-8.1.15.4.1.el5.src.rpm

Description of changes:

Following Security fixes are released in this errata:

CVE-2009-1192 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192>
The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions 
in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel 
before 2.6.30-rc3 do not zero out pages that may later be available to a 
user-space process, which allows local users to obtain sensitive 
information by reading these pages.

CVE-2009-1072 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072>
nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD 
capability before handling a user request in a thread, which allows 
local users to create device nodes, as demonstrated on a filesystem that 
has been exported with the root_squash option.

CVE-2009-1758 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1758>
The hypervisor_callback function in Xen, possibly before 3.4.0, as 
applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other 
versions allows guest user applications to cause a denial of service 
(kernel oops) of the guest OS by triggering a segmentation fault in 
"certain address ranges."

CVE-2009-1439 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439>
Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 
and earlier allows remote attackers to cause a denial of service (crash) 
via a long nativeFileSystem field in a Tree Connect response to an SMB 
mount request.

CVE-2009-1633 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633>
Multiple buffer overflows in the cifs subsystem in the Linux kernel 
before 2.6.29.4 allow remote CIFS servers to cause a denial of service 
(memory corruption) and possibly have unspecified other impact via (1) a 
malformed Unicode string, related to Unicode string area alignment in 
fs/cifs/sess.c; or (2) long Unicode characters, related to 
fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.

CVE-2009-1630 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630>
The nfs_permission function in fs/nfs/dir.c in the NFS client 
implementation in the Linux kernel 2.6.29.3 and earlier, when 
atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) 
permission bits, which allows local users to bypass permissions and 
execute files, as demonstrated by files on an NFSv4 fileserver.

[2.6.18-8.1.15.4.1.el5]
- [agp] zero pages before sending to userspace (Jiri Olsa ) [497025 
497026] {CVE-2009-1192}
- [misc] add some long-missing capabilities to CAP_FS_MASK (Eric Paris ) 
[499075 497271 499076 497272] {CVE-2009-1072}
- [x86] xen: fix local denial of service (Chris Lalancette ) [500950 
500951] {CVE-2009-1758}
- [fs] cifs: unicode alignment and buffer sizing problems (Jeff Layton ) 
[494279 494280] {CVE-2009-1439}
- [fs] cifs: buffer overruns when converting strings (Jeff Layton ) 
[496576 496577] {CVE-2009-1633}
- [fs] cifs: fix error handling in parse_DFS_referrals (Jeff Layton ) 
[496576 496577] {CVE-2009-1633}
- [fs] cifs: fix pointer and checks in cifs_follow_symlink (Jeff Layton 
) [496576 496577] {CVE-2009-1633}
- [nfs] v4: client handling of MAY_EXEC in nfs_permission (Peter 
Staubach ) [500301 500302] {CVE-2009-1630}
- backport cifs support from OEL5U3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.oracle.com/pipermail/oraclevm-errata/attachments/20090706/84a2e562/attachment.html 