The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Geronimo
  - Apache Tomcat
  - Apache Xerces2
  - cURL/libcURL
  - ISC BIND
  - Libxml2
  - Linux kernel
  - Linux kernel 64-bit
  - Linux kernel Common Internet File System
  - Linux kernel eCryptfs
  - NTP
  - Python
  - Java Runtime Environment (JRE)
  - Java SE Development Kit (JDK)
  - Java SE Abstract Window Toolkit (AWT)
  - Java SE Plugin
  - Java SE Provider
  - Java SE Swing
  - Java SE Web Start

The remote OracleVM system is missing necessary patches to address critical security updates :

CVE-2008-3528 The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.

CVE-2008-5700 libata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.

CVE-2009-0028 The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit. CVE-2009-0322 drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/. CVE-2009-0675 The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an 'inverted logic' issue. CVE-2009-0676 The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.

  - CVE-2008-3528 - [fs] ext[234]: directory corruption DoS     (Eugene Teo) 

  - CVE-2008-5700 - [block] enforce a minimum SG_IO timeout     (Eugene Teo) 

  - CVE-2009-0322 - [firmware] dell_rbu: prevent oops (Don     Howard) 

  - CVE-2009-0028 - [misc] minor signal handling     vulnerability (Oleg Nesterov) [479963 479964]

  - CVE-2009-0676 - [net] memory disclosure in SO_BSDCOMPAT     gsopt (Eugene Teo) [486517 486518]

  - CVE-2009-0675 - [net] skfp_ioctl inverted logic flaw     (Eugene Teo) 

  - CVE-2009-0778 - not required

  - CVE-2009-0269 - not required

  - Enable enic

  - Finish porting infrastructure for fnic but disable it on     32bit

  - Add netconsole support for bonding in dom0 (Tina Yang)     [orabug 8231228]

  - Add Cisco fnic/enic support, requires fc infrastructure     from el5u3

From Red Hat Security Advisory 2009:0326 :

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* memory leaks were found on some error paths in the icmp_send() function in the Linux kernel. This could, potentially, cause the network connectivity to cease. (CVE-2009-0778, Important)

* Chris Evans reported a deficiency in the clone() system call when called with the CLONE_PARENT flag. This flaw permits the caller (the parent process) to indicate an arbitrary signal it wants to receive when its child process exits. This could lead to a denial of service of the parent process. (CVE-2009-0028, Moderate)

* an off-by-one underflow flaw was found in the eCryptfs subsystem.
This could potentially cause a local denial of service when the readlink() function returned an error. (CVE-2009-0269, Moderate)

* a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size files in '/sys/devices/platform/dell_rbu/'.
(CVE-2009-0322, Moderate)

* an inverted logic flaw was found in the SysKonnect FDDI PCI adapter driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN capability was absent (local, unprivileged users could reset driver statistics). (CVE-2009-0675, Moderate)

* the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure.
(CVE-2009-0676, Moderate)

* the ext2 and ext3 file system code failed to properly handle corrupted data structures, leading to a possible local denial of service when read or write operations were performed on a specially crafted file system. (CVE-2008-3528, Low)

* a deficiency was found in the libATA implementation. This could, potentially, lead to a local denial of service. Note: by default, the '/dev/sg*' devices are accessible only to the root user.
(CVE-2008-5700, Low)

Bug fixes :

* a bug in aic94xx may have caused kernel panics during boot on some systems with certain SATA disks. (BZ#485909)

* a word endianness problem in the qla2xx driver on PowerPC-based machines may have corrupted flash-based devices. (BZ#485908)

* a memory leak in pipe() may have caused a system deadlock. The workaround in Section 1.5, Known Issues, of the Red Hat Enterprise Linux 5.3 Release Notes Updates, which involved manually allocating extra file descriptors to processes calling do_pipe, is no longer necessary. (BZ#481576)

* CPU soft-lockups in the network rate estimator. (BZ#481746)

* bugs in the ixgbe driver caused it to function unreliably on some systems with 16 or more CPU cores. (BZ#483210)

* the iwl4965 driver may have caused a kernel panic. (BZ#483206)

* a bug caused NFS attributes to not update for some long-lived NFS mounted file systems. (BZ#483201)

* unmounting a GFS2 file system may have caused a panic. (BZ#485910)

* a bug in ptrace() may have caused a panic when single stepping a target. (BZ#487394)

* on some 64-bit systems, notsc was incorrectly set at boot, causing slow gettimeofday() calls. (BZ#488239)

* do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#490433)

* scaling problems caused performance problems for LAPI applications.
(BZ#489457)

* a panic may have occurred on systems using certain Intel WiFi Link 5000 products when booting with the RF Kill switch on. (BZ#489846)

* the TSC is invariant with C/P/T states, and always runs at constant frequency from now on. (BZ#489310)

All users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2008:0972 :

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* a flaw was found in the Linux kernel's Direct-IO implementation.
This could have allowed a local unprivileged user to cause a denial of service. (CVE-2007-6716, Important)

* when running ptrace in 31-bit mode on an IBM S/390 or IBM System z kernel, a local unprivileged user could cause a denial of service by reading from or writing into a padding area in the user_regs_struct32 structure. (CVE-2008-1514, Important)

* the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could have allowed a local unprivileged user to obtain access to privileged information.
(CVE-2008-4210, Important)

* Tobias Klein reported a missing check in the Linux kernel's Open Sound System (OSS) implementation. This deficiency could have led to an information leak. (CVE-2008-3272, Moderate)

* a potential denial of service attack was discovered in the Linux kernel's PWC USB video driver. A local unprivileged user could have used this flaw to bring the kernel USB subsystem into the busy-waiting state. (CVE-2007-5093, Low)

* the ext2 and ext3 file systems code failed to properly handle corrupted data structures, leading to a possible local denial of service issue when read or write operations were performed.
(CVE-2008-3528, Low)

In addition, these updated packages fix the following bugs :

* when using the CIFS 'forcedirectio' option, appending to an open file on a CIFS share resulted in that file being overwritten with the data to be appended.

* a kernel panic occurred when a device with PCI ID 8086:10c8 was present on a system with a loaded ixgbe driver.

* due to an aacraid driver regression, the kernel failed to boot when trying to load the aacraid driver and printed the following error message: 'aac_srb: aac_fib_send failed with status: 8195'.

* due to an mpt driver regression, when RAID 1 was configured on Primergy systems with an LSI SCSI IME 53C1020/1030 controller, the kernel panicked during boot.

* the mpt driver produced a large number of extraneous debugging messages when performing a 'Host reset' operation.

* due to a regression in the sym driver, the kernel panicked when a SCSI hot swap was performed using MCP18 hardware.

* all cores on a multi-core system now scale their frequencies in accordance with the policy set by the system's CPU frequency governor.

* the netdump subsystem suffered from several stability issues. These are addressed in this updated kernel.

* under certain conditions, the ext3 file system reported a negative count of used blocks.

* reading /proc/self/mem incorrectly returned 'Invalid argument' instead of 'input/output error' due to a regression.

* under certain conditions, the kernel panicked when a USB device was removed while the system was busy accessing the device.

* a race condition in the kernel could have led to a kernel crash during the creation of a new process.

All Red Hat Enterprise Linux 4 Users should upgrade to these updated packages, which contain backported patches to correct these issues.

Security fixes :

  - memory leaks were found on some error paths in the     icmp_send() function in the Linux kernel. This could,     potentially, cause the network connectivity to cease.
    (CVE-2009-0778, Important)

  - Chris Evans reported a deficiency in the clone() system     call when called with the CLONE_PARENT flag. This flaw     permits the caller (the parent process) to indicate an     arbitrary signal it wants to receive when its child     process exits. This could lead to a denial of service of     the parent process. (CVE-2009-0028, Moderate)

  - an off-by-one underflow flaw was found in the eCryptfs     subsystem. This could potentially cause a local denial     of service when the readlink() function returned an     error. (CVE-2009-0269, Moderate)

  - a deficiency was found in the Remote BIOS Update (RBU)     driver for Dell systems. This could allow a local,     unprivileged user to cause a denial of service by     reading zero bytes from the image_type or packet_size     files in '/sys/devices/platform/dell_rbu/'.
    (CVE-2009-0322, Moderate)

  - an inverted logic flaw was found in the SysKonnect FDDI     PCI adapter driver, allowing driver statistics to be     reset only when the CAP_NET_ADMIN capability was absent     (local, unprivileged users could reset driver     statistics). (CVE-2009-0675, Moderate)

  - the sock_getsockopt() function in the Linux kernel did     not properly initialize a data structure that can be     directly returned to user-space when the getsockopt()     function is called with SO_BSDCOMPAT optname set. This     flaw could possibly lead to memory disclosure.
    (CVE-2009-0676, Moderate)

  - the ext2 and ext3 file system code failed to properly     handle corrupted data structures, leading to a possible     local denial of service when read or write operations     were performed on a specially crafted file system.
    (CVE-2008-3528, Low)

  - a deficiency was found in the libATA implementation.
    This could, potentially, lead to a local denial of     service. Note: by default, the '/dev/sg*' devices are     accessible only to the root user. (CVE-2008-5700, Low)

Bug fixes :

  - a bug in aic94xx may have caused kernel panics during     boot on some systems with certain SATA disks.
    (BZ#485909)

  - a word endianness problem in the qla2xx driver on     PowerPC-based machines may have corrupted flash-based     devices. (BZ#485908)

  - a memory leak in pipe() may have caused a system     deadlock. The workaround, which involved manually     allocating extra file descriptors toprocesses calling     do_pipe, is no longer necessary. (BZ#481576)

  - CPU soft-lockups in the network rate estimator.
    (BZ#481746)

  - bugs in the ixgbe driver caused it to function     unreliably on some systems with 16 or more CPU cores.
    (BZ#483210)

  - the iwl4965 driver may have caused a kernel panic.
    (BZ#483206)

  - a bug caused NFS attributes to not update for some     long-lived NFS mounted file systems. (BZ#483201)

  - unmounting a GFS2 file system may have caused a panic.
    (BZ#485910)

  - a bug in ptrace() may have caused a panic when single     stepping a target. (BZ#487394)

  - on some 64-bit systems, notsc was incorrectly set at     boot, causing slow gettimeofday() calls. (BZ#488239)

  - do_machine_check() cleared all Machine Check Exception     (MCE) status registers, preventing the BIOS from using     them to determine the cause of certain panics and     errors. (BZ#490433)

  - scaling problems caused performance problems for LAPI     applications. (BZ#489457)

  - a panic may have occurred on systems using certain Intel     WiFi Link 5000 products when booting with the RF Kill     switch on. (BZ#489846)

  - the TSC is invariant with C/P/T states, and always runs     at constant frequency from now on. (BZ#489310)

The system must be rebooted for this update to take effect.

- a flaw was found in the Linux kernel's Direct-IO     implementation. This could have allowed a local     unprivileged user to cause a denial of service.
    (CVE-2007-6716, Important)

  - when running ptrace in 31-bit mode on an IBM S/390 or     IBM System z kernel, a local unprivileged user could     cause a denial of service by reading from or writing     into a padding area in the user_regs_struct32 structure.
    (CVE-2008-1514, Important)

  - the do_truncate() and generic_file_splice_write()     functions did not clear the setuid and setgid bits. This     could have allowed a local unprivileged user to obtain     access to privileged information. (CVE-2008-4210,     Important)

  - Tobias Klein reported a missing check in the Linux     kernel's Open Sound System (OSS) implementation. This     deficiency could have led to an information leak.
    (CVE-2008-3272, Moderate)

  - a potential denial of service attack was discovered in     the Linux kernel's PWC USB video driver. A local     unprivileged user could have used this flaw to bring the     kernel USB subsystem into the busy-waiting state.
    (CVE-2007-5093, Low)

  - the ext2 and ext3 file systems code failed to properly     handle corrupted data structures, leading to a possible     local denial of service issue when read or write     operations were performed. (CVE-2008-3528, Low)

In addition, these updated packages fix the following bugs :

  - when using the CIFS 'forcedirectio' option, appending to     an open file on a CIFS share resulted in that file being     overwritten with the data to be appended.

  - a kernel panic occurred when a device with PCI ID     8086:10c8 was present on a system with a loaded ixgbe     driver.

  - due to an aacraid driver regression, the kernel failed     to boot when trying to load the aacraid driver and     printed the following error message: 'aac_srb:
    aac_fib_send failed with status: 8195'.

  - due to an mpt driver regression, when RAID 1 was     configured on Primergy systems with an LSI SCSI IME     53C1020/1030 controller, the kernel panicked during     boot.

  - the mpt driver produced a large number of extraneous     debugging messages when performing a 'Host reset'     operation.

  - due to a regression in the sym driver, the kernel     panicked when a SCSI hot swap was performed using MCP18     hardware.

  - all cores on a multi-core system now scale their     frequencies in accordance with the policy set by the     system's CPU frequency governor.

  - the netdump subsystem suffered from several stability     issues. These are addressed in this updated kernel.

  - under certain conditions, the ext3 file system reported     a negative count of used blocks.

  - reading /proc/self/mem incorrectly returned 'Invalid     argument' instead of 'input/output error' due to a     regression.

  - under certain conditions, the kernel panicked when a USB     device was removed while the system was busy accessing     the device.

  - a race condition in the kernel could have led to a     kernel crash during the creation of a new process.

This patch updates the SUSE Linux Enterprise 10 SP1 kernel. It fixes various bugs and security issues.

The following security issues are addressed :

  - fs/open.c in the Linux kernel before 2.6.22 does not     properly strip setuid and setgid bits when there is a     write to a file, which allows local users to gain the     privileges of a different group, and obtain sensitive     information or possibly have unspecified other impact,     by creating an executable file in a setgid directory     through the (1) truncate or (2) ftruncate function in     conjunction with memory-mapped I/O. (CVE-2008-4210)

  - The ext[234] filesystem code fails to properly handle     corrupted data structures. With a mounted filesystem     image or partition that have corrupted dir->i_size and     dir->i_blocks, a user performing either a read or write     operation on the mounted image or partition can lead to     a possible denial of service by spamming the logfile.
    (CVE-2008-3528)

  - fs/direct-io.c in the dio subsystem in the Linux kernel     did not properly zero out the dio struct, which allows     local users to cause a denial of service (OOPS), as     demonstrated by a certain fio test. (CVE-2007-6716)

All other bugfixes can be found by looking at the RPM changelog.

This kernel update for SUSE Linux Enterprise 10 Service Pack 2 fixes various bugs and some security problems :

  - When creating a file, open()/creat() allowed the setgid     bit to be set via the mode argument even when, due to     the bsdgroups mount option or the file being created in     a setgid directory, the new file's group is one which     the user is not a member of. The local attacker could     then use ftruncate() and memory-mapped I/O to turn the     new file into an arbitrary binary and thus gain the     privileges of this group, since these operations do not     clear the setgid bit.'. (CVE-2008-4210)

  - The ext[234] filesystem code fails to properly handle     corrupted data structures. With a mounted filesystem     image or partition that have corrupted dir->i_size and     dir->i_blocks, a user performing either a read or write     operation on the mounted image or partition can lead to     a possible denial of service by spamming the logfile.
    (CVE-2008-3528)

  - The S/390 ptrace code allowed local users to cause a     denial of service (kernel panic) via the     user-area-padding test from the ptrace testsuite in     31-bit mode, which triggers an invalid dereference.
    (CVE-2008-1514)

  - fs/direct-io.c in the dio subsystem in the Linux kernel     did not properly zero out the dio struct, which allows     local users to cause a denial of service (OOPS), as     demonstrated by a certain fio test. (CVE-2007-6716)

  - Added missing capability checks in sbni_ioctl().
    (CVE-2008-3525)

Also OCFS2 was updated to version v1.4.1-1.

The full amount of changes can be reviewed in the RPM changelog.

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* memory leaks were found on some error paths in the icmp_send() function in the Linux kernel. This could, potentially, cause the network connectivity to cease. (CVE-2009-0778, Important)

* Chris Evans reported a deficiency in the clone() system call when called with the CLONE_PARENT flag. This flaw permits the caller (the parent process) to indicate an arbitrary signal it wants to receive when its child process exits. This could lead to a denial of service of the parent process. (CVE-2009-0028, Moderate)

* an off-by-one underflow flaw was found in the eCryptfs subsystem.
This could potentially cause a local denial of service when the readlink() function returned an error. (CVE-2009-0269, Moderate)

* a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size files in '/sys/devices/platform/dell_rbu/'.
(CVE-2009-0322, Moderate)

* an inverted logic flaw was found in the SysKonnect FDDI PCI adapter driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN capability was absent (local, unprivileged users could reset driver statistics). (CVE-2009-0675, Moderate)

* the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure.
(CVE-2009-0676, Moderate)

* the ext2 and ext3 file system code failed to properly handle corrupted data structures, leading to a possible local denial of service when read or write operations were performed on a specially crafted file system. (CVE-2008-3528, Low)

* a deficiency was found in the libATA implementation. This could, potentially, lead to a local denial of service. Note: by default, the '/dev/sg*' devices are accessible only to the root user.
(CVE-2008-5700, Low)

Bug fixes :

* a bug in aic94xx may have caused kernel panics during boot on some systems with certain SATA disks. (BZ#485909)

* a word endianness problem in the qla2xx driver on PowerPC-based machines may have corrupted flash-based devices. (BZ#485908)

* a memory leak in pipe() may have caused a system deadlock. The workaround in Section 1.5, Known Issues, of the Red Hat Enterprise Linux 5.3 Release Notes Updates, which involved manually allocating extra file descriptors to processes calling do_pipe, is no longer necessary. (BZ#481576)

* CPU soft-lockups in the network rate estimator. (BZ#481746)

* bugs in the ixgbe driver caused it to function unreliably on some systems with 16 or more CPU cores. (BZ#483210)

* the iwl4965 driver may have caused a kernel panic. (BZ#483206)

* a bug caused NFS attributes to not update for some long-lived NFS mounted file systems. (BZ#483201)

* unmounting a GFS2 file system may have caused a panic. (BZ#485910)

* a bug in ptrace() may have caused a panic when single stepping a target. (BZ#487394)

* on some 64-bit systems, notsc was incorrectly set at boot, causing slow gettimeofday() calls. (BZ#488239)

* do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#490433)

* scaling problems caused performance problems for LAPI applications.
(BZ#489457)

* a panic may have occurred on systems using certain Intel WiFi Link 5000 products when booting with the RF Kill switch on. (BZ#489846)

* the TSC is invariant with C/P/T states, and always runs at constant frequency from now on. (BZ#489310)

All users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

a. JRE Security Update

  JRE update to version 1.5.0_20, which addresses multiple security   issues that existed in earlier releases of JRE.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,   CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,   CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,   CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

b. Update Apache Tomcat version

  Update for VirtualCenter and ESX patch update the Tomcat package to   version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)   which addresses multiple security issues that existed   in the previous version of Apache Tomcat.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,   CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.18:  CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.16:  CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,   CVE-2007-6286, CVE-2008-0002.
  c. Third-party library update for ntp.
   The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the   following security issue. Note that the same security issue is   present in the ESX Service Console as described in section d. of   this advisory.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   The NTP security issue identified by CVE-2009-0159 is not relevant   for ESXi 3.5 and ESXi 4.0.
 d. Service Console update for ntp

  Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2    The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   The Service Console present in ESX is affected by the following   security issues.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   NTP authentication is not enabled by default on the Service Console.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   A buffer overflow flaw was found in the ntpq diagnostic command. A   malicious, remote server could send a specially crafted reply to an   ntpq request that could crash ntpq or, potentially, execute   arbitrary code with the privileges of the user running the ntpq   command.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-0159 to this issue.
  e. Updated Service Console package kernel

  Updated Service Console package kernel addresses the security   issues listed below.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,   CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,   CVE-2009-0778 to the security issues fixed in kernel   2.6.18-128.1.6.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,   CVE-2009-0787, CVE-2009-1336 to the security issues fixed in   kernel 2.6.18-128.1.10.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,   CVE-2009-1630, CVE-2009-1192 to the security issues fixed in   kernel 2.6.18-128.1.14.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,   CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the   security issues fixed in kernel 2.6.18-128.4.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2692, CVE-2009-2698 to the   security issues fixed in kernel 2.6.18-128.7.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,   CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues   fixed in kernel 2.6.18-164.

 f. Updated Service Console package python

  Service Console package Python update to version 2.4.3-24.el5.

  When the assert() system call was disabled, an input sanitization   flaw was revealed in the Python string object implementation that   led to a buffer overflow. The missing check for negative size values   meant the Python memory allocator could allocate less memory than   expected. This could result in arbitrary code execution with the   Python interpreter's privileges.

  Multiple buffer and integer overflow flaws were found in the Python   Unicode string processing and in the Python Unicode and string   object implementations. An attacker could use these flaws to cause   a denial of service.

  Multiple integer overflow flaws were found in the Python imageop   module. If a Python application used the imageop module to   process untrusted images, it could cause the application to   disclose sensitive information, crash or, potentially, execute   arbitrary code with the Python interpreter's privileges.

  Multiple integer underflow and overflow flaws were found in the   Python snprintf() wrapper implementation. An attacker could use   these flaws to cause a denial of service (memory corruption).

  Multiple integer overflow flaws were found in various Python   modules. An attacker could use these flaws to cause a denial of   service.

  An integer signedness error, leading to a buffer overflow, was   found in the Python zlib extension module. If a Python application   requested the negative byte count be flushed for a decompression   stream, it could cause the application to crash or, potentially,   execute arbitrary code with the Python interpreter's privileges.

  A flaw was discovered in the strxfrm() function of the Python   locale module. Strings generated by this function were not properly   NULL-terminated, which could possibly cause disclosure of data   stored in the memory of a Python application using this function.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721   CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143   CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.

 g. Updated Service Console package bind

  Service Console package bind updated to version 9.3.6-4.P1.el5

  The Berkeley Internet Name Domain (BIND) is an implementation of the   Domain Name System (DNS) protocols. BIND includes a DNS server   (named); a resolver library (routines for applications to use when   interfacing with DNS); and tools for verifying that the DNS server   is operating correctly.

  A flaw was found in the way BIND handles dynamic update message   packets containing the 'ANY' record type. A remote attacker could   use this flaw to send a specially crafted dynamic update packet   that could cause named to exit with an assertion failure.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-0696 to this issue.

 h. Updated Service Console package libxml2

  Service Console package libxml2 updated to version 2.6.26-2.1.2.8.

  libxml is a library for parsing and manipulating XML files. A   Document Type Definition (DTD) defines the legal syntax (and also   which elements can be used) for certain types of files, such as XML   files.

  A stack overflow flaw was found in the way libxml processes the   root XML document element definition in a DTD. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  Multiple use-after-free flaws were found in the way libxml parses   the Notation and Enumeration attribute types. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2414 and CVE-2009-2416 to these   issues.

 i. Updated Service Console package curl

  Service Console package curl updated to version 7.15.5-2.1.el5_3.5

  A cURL is affected by the previously published 'null prefix attack',   caused by incorrect handling of NULL characters in X.509   certificates. If an attacker is able to get a carefully-crafted   certificate signed by a trusted Certificate Authority, the attacker   could use the certificate during a man-in-the-middle attack and   potentially confuse cURL into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2417 to this issue

 j. Updated Service Console package gnutls

  Service Console package gnutil updated to version 1.4.1-3.el5_3.5

  A flaw was discovered in the way GnuTLS handles NULL characters in   certain fields of X.509 certificates. If an attacker is able to get   a carefully-crafted certificate signed by a Certificate Authority   trusted by an application using GnuTLS, the attacker could use the   certificate during a man-in-the-middle attack and potentially   confuse the application into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2730 to this issue

This patch updates the openSUSE 11.0 kernel to the 2.6.25.18 stable release.

It also includes bugfixes and security fixes :

CVE-2008-4410: The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state.

sctp: Fix kernel panic while process protocol violation parameter.

CVE-2008-3528: The ext[234] filesystem code fails to properly handle corrupted data structures. With a mounted filesystem image or partition that have corrupted dir->i_size and dir->i_blocks, a user performing either a read or write operation on the mounted image or partition can lead to a possible denial of service by spamming the logfile.

CVE-2008-3526: Integer overflow in the sctp_setsockopt_auth_key function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel allows remote attackers to cause a denial of service (panic) or possibly have unspecified other impact via a crafted sca_keylength field associated with the SCTP_AUTH_KEY option.

CVE-2008-3525: Added missing capability checks in sbni_ioctl().

CVE-2008-4576: SCTP in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires.

CVE-2008-4445: The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.

CVE-2008-3792: net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel 2.6.26.3 does not verify that the SCTP-AUTH extension is enabled before proceeding with SCTP-AUTH API functions, which allows attackers to cause a denial of service (panic) via vectors that result in calls to (1) sctp_setsockopt_auth_chunk, (2) sctp_setsockopt_hmac_ident, (3) sctp_setsockopt_auth_key, (4) sctp_setsockopt_active_key, (5) sctp_setsockopt_del_key, (6) sctp_getsockopt_maxburst, (7) sctp_getsockopt_active_key, (8) sctp_getsockopt_peer_auth_chunks, or (9) sctp_getsockopt_local_auth_chunks.

CVE-2008-4113: The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.

CVE-2008-3911: The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2.6.26.3 does not check the length of a certain buffer obtained from userspace, which allows local users to overflow a stack-based buffer and have unspecified other impact via a crafted read system call for the /proc/sys/sunrpc/transports file.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.
(CVE-2008-3528)

The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration. (CVE-2008-3831)

The do_splice_from function in fs/splice.c in the Linux kernel before 2.6.27 does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file. (CVE-2008-4554)

Additionaly, a problem with TCP options ordering, which could manifest as connection problems with many websites (bug #43372), was solved, a number of fixes for Intel HDA were added, another number of fixes for issues on Asus EEE PC, Panasonic Let's Note, Acer One, Dell XPS, and others, were also added. Check package changelog for more information.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Update :

The previous update included a patch which introduced a bug that would make the boot process to stop halfway in several machines. That patch has been removed in this new update, to avoid that problem.

It was discovered that the Linux kernel could be made to hang temporarily when mounting corrupted ext2/3 filesystems. If a user were tricked into mounting a specially crafted filesystem, a remote attacker could cause system hangs, leading to a denial of service.
(CVE-2008-3528)

Anders Kaseorg discovered that ndiswrapper did not correctly handle long ESSIDs. For a system using ndiswrapper, a physically near-by attacker could generate specially crafted wireless network traffic and execute arbitrary code with root privileges. (CVE-2008-4395).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* a flaw was found in the Linux kernel's Direct-IO implementation.
This could have allowed a local unprivileged user to cause a denial of service. (CVE-2007-6716, Important)

* when running ptrace in 31-bit mode on an IBM S/390 or IBM System z kernel, a local unprivileged user could cause a denial of service by reading from or writing into a padding area in the user_regs_struct32 structure. (CVE-2008-1514, Important)

* the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could have allowed a local unprivileged user to obtain access to privileged information.
(CVE-2008-4210, Important)

* Tobias Klein reported a missing check in the Linux kernel's Open Sound System (OSS) implementation. This deficiency could have led to an information leak. (CVE-2008-3272, Moderate)

* a potential denial of service attack was discovered in the Linux kernel's PWC USB video driver. A local unprivileged user could have used this flaw to bring the kernel USB subsystem into the busy-waiting state. (CVE-2007-5093, Low)

* the ext2 and ext3 file systems code failed to properly handle corrupted data structures, leading to a possible local denial of service issue when read or write operations were performed.
(CVE-2008-3528, Low)

In addition, these updated packages fix the following bugs :

* when using the CIFS 'forcedirectio' option, appending to an open file on a CIFS share resulted in that file being overwritten with the data to be appended.

* a kernel panic occurred when a device with PCI ID 8086:10c8 was present on a system with a loaded ixgbe driver.

* due to an aacraid driver regression, the kernel failed to boot when trying to load the aacraid driver and printed the following error message: 'aac_srb: aac_fib_send failed with status: 8195'.

* due to an mpt driver regression, when RAID 1 was configured on Primergy systems with an LSI SCSI IME 53C1020/1030 controller, the kernel panicked during boot.

* the mpt driver produced a large number of extraneous debugging messages when performing a 'Host reset' operation.

* due to a regression in the sym driver, the kernel panicked when a SCSI hot swap was performed using MCP18 hardware.

* all cores on a multi-core system now scale their frequencies in accordance with the policy set by the system's CPU frequency governor.

* the netdump subsystem suffered from several stability issues. These are addressed in this updated kernel.

* under certain conditions, the ext3 file system reported a negative count of used blocks.

* reading /proc/self/mem incorrectly returned 'Invalid argument' instead of 'input/output error' due to a regression.

* under certain conditions, the kernel panicked when a USB device was removed while the system was busy accessing the device.

* a race condition in the kernel could have led to a kernel crash during the creation of a new process.

All Red Hat Enterprise Linux 4 Users should upgrade to these updated packages, which contain backported patches to correct these issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3527     Tavis Ormandy reported a local DoS and potential     privilege escalation in the Virtual Dynamic Shared     Objects (vDSO) implementation.

  - CVE-2008-3528     Eugene Teo reported a local DoS issue in the ext2 and     ext3 filesystems. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a corrupted filesystem that causes the kernel     to output error messages in an infinite loop.

  - CVE-2008-4554     Milos Szeredi reported that the usage of splice() on     files opened with O_APPEND allows users to write to the     file at arbitrary offsets, enabling a bypass of possible     assumed semantics of the O_APPEND flag.

  - CVE-2008-4576     Vlad Yasevich reported an issue in the SCTP subsystem     that may allow remote users to cause a local DoS by     triggering a kernel oops.

  - CVE-2008-4933     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that causes the     kernel to overrun a buffer, resulting in a system oops     or memory corruption.

  - CVE-2008-4934     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that results in a     kernel oops due to an unchecked return value.

  - CVE-2008-5025     Eric Sesterhenn reported a local DoS issue in the hfs     filesystem. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a filesystem with a corrupted catalog name     length, resulting in a system oops or memory corruption.

  - CVE-2008-5029     Andrea Bittau reported a DoS issue in the unix socket     subsystem that allows a local user to cause memory     corruption, resulting in a kernel panic.

  - CVE-2008-5079     Hugo Dias reported a DoS condition in the ATM subsystem     that can be triggered by a local user by calling the     svc_listen function twice on the same socket and reading     /proc/net/atm/*vc.

  - CVE-2008-5182     Al Viro reported race conditions in the inotify     subsystem that may allow local users to acquire elevated     privileges.

  - CVE-2008-5300     Dann Frazier reported a DoS condition that allows local     users to cause the out of memory handler to kill off     privileged processes or trigger soft lockups due to a     starvation issue in the unix socket subsystem.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3528     Eugene Teo reported a local DoS issue in the ext2 and     ext3 filesystems. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a corrupted filesystem that causes the kernel     to output error messages in an infinite loop.

  - CVE-2008-4554     Milos Szeredi reported that the usage of splice() on     files opened with O_APPEND allows users to write to the     file at arbitrary offsets, enabling a bypass of possible     assumed semantics of the O_APPEND flag.

  - CVE-2008-4576     Vlad Yasevich reported an issue in the SCTP subsystem     that may allow remote users to cause a local DoS by     triggering a kernel oops.

  - CVE-2008-4618     Wei Yongjun reported an issue in the SCTP subsystem that     may allow remote users to cause a local DoS by     triggering a kernel panic.

  - CVE-2008-4933     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that causes the     kernel to overrun a buffer, resulting in a system oops     or memory corruption.

  - CVE-2008-4934     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that results in a     kernel oops due to an unchecked return value.

  - CVE-2008-5025     Eric Sesterhenn reported a local DoS issue in the hfs     filesystem. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a filesystem with a corrupted catalog name     length, resulting in a system oops or memory corruption.

  - CVE-2008-5029     Andrea Bittau reported a DoS issue in the unix socket     subsystem that allows a local user to cause memory     corruption, resulting in a kernel panic.

  - CVE-2008-5134     Johannes Berg reported a remote DoS issue in the     libertas wireless driver, which can be triggered by a     specially crafted beacon/probe response.

  - CVE-2008-5182     Al Viro reported race conditions in the inotify     subsystem that may allow local users to acquire elevated     privileges.

  - CVE-2008-5300     Dann Frazier reported a DoS condition that allows local     users to cause the out of memory handler to kill off     privileged processes or trigger soft lockups due to a     starvation issue in the unix socket subsystem.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2008:0972 advisory.

  - kernel PWC driver DoS (CVE-2007-5093)

  - kernel: dio: zero struct dio with kzalloc instead of manually (CVE-2007-6716)

  - kernel: ptrace: Padding area write - unprivileged kernel crash (CVE-2008-1514)

  - kernel snd_seq_oss_synth_make_info leak (CVE-2008-3272)

  - Linux kernel ext[234] directory corruption denial of service (CVE-2008-3528)

  - kernel: open() call allows setgid bit when user is not in new file's group (CVE-2008-4210)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This kernel update fixes various bugs and also several security issues :

CVE-2008-4576: Fixed a crash in SCTP INIT-ACK, on mismatch between SCTP AUTH availability. This might be exploited remotely for a denial of service (crash) attack.

CVE-2008-3833: The generic_file_splice_write function in fs/splice.c in the Linux kernel does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory.

CVE-2008-4210: fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.

CVE-2008-4302: fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.

CVE-2008-3528: The ext[234] filesystem code fails to properly handle corrupted data structures. With a mounted filesystem image or partition that have corrupted dir->i_size and dir->i_blocks, a user performing either a read or write operation on the mounted image or partition can lead to a possible denial of service by spamming the logfile.

CVE-2007-6716: fs/direct-io.c in the dio subsystem in the Linux kernel did not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.

CVE-2008-3525: Added missing capability checks in sbni_ioctl().

CVE-2008-3272: Fixed range checking in the snd_seq OSS ioctl, which could be used to leak information from the kernel.

CVE-2008-2931: The do_change_type function in fs/namespace.c did not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.

CVE-2008-2812: Various NULL ptr checks have been added to tty op functions, which might have been used by local attackers to execute code. We think that this affects only devices openable by root, so the impact is limited.

CVE-2008-1673: Added range checking in ASN.1 handling for the CIFS and SNMP NAT netfilter modules.

CVE-2008-3527: arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 did not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.

The openSUSE 10.3 kernel was update to 2.6.22.19. This includes bugs and security fixes.

CVE-2008-4576: Fixed a crash in SCTP INIT-ACK, on mismatch between SCTP AUTH availability. This might be exploited remotely for a denial of service (crash) attack.

CVE-2008-3528: The ext[234] filesystem code fails to properly handle corrupted data structures. With a mounted filesystem image or partition that have corrupted dir->i_size and dir->i_blocks, a user performing either a read or write operation on the mounted image or partition can lead to a possible denial of service by spamming the logfile.

CVE-2007-6716: fs/direct-io.c in the dio subsystem in the Linux kernel did not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.

CVE-2008-3525: Added missing capability checks in sbni_ioctl().

CVE-2008-3272: Fixed range checking in the snd_seq OSS ioctl, which could be used to leak information from the kernel.

CVE-2008-3276: An integer overflow flaw was found in the Linux kernel dccp_setsockopt_change() function. An attacker may leverage this vulnerability to trigger a kernel panic on a victim's machine remotely.

CVE-2008-1673: Added range checking in ASN.1 handling for the CIFS and SNMP NAT netfilter modules.

CVE-2008-2826: A integer overflow in SCTP was fixed, which might have been used by remote attackers to crash the machine or potentially execute code.

CVE-2008-2812: Various NULL ptr checks have been added to tty op functions, which might have been used by local attackers to execute code. We think that this affects only devices openable by root, so the impact is limited.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-0326.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2008-0972.

ID	Name	Product	Family	Severity
89117	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)	Nessus	Misc.	critical
79453	OracleVM 2.1 : kernel (OVMSA-2009-0004)	Nessus	OracleVM Local Security Checks	high
67812	Oracle Linux 5 : kernel (ELSA-2009-0326)	Nessus	Oracle Linux Local Security Checks	high
67762	Oracle Linux 4 : kernel (ELSA-2008-0972)	Nessus	Oracle Linux Local Security Checks	medium
60559	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60497	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
59134	SuSE 10 Security Update : Linux Kernel (x86_64) (ZYPP Patch Number 5735)	Nessus	SuSE Local Security Checks	medium
59132	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 5667)	Nessus	SuSE Local Security Checks	high
43729	CentOS 5 : kernel (CESA-2009:0326)	Nessus	CentOS Local Security Checks	high
42870	VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	Nessus	VMware ESX Local Security Checks	medium
41535	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 5668)	Nessus	SuSE Local Security Checks	high
40010	openSUSE Security Update : kernel (kernel-270)	Nessus	SuSE Local Security Checks	high
37851	Mandriva Linux Security Advisory : kernel (MDVSA-2008:224-1)	Nessus	Mandriva Local Security Checks	medium
37499	Ubuntu 8.10 : linux vulnerability (USN-662-1)	Nessus	Ubuntu Local Security Checks	high
37341	CentOS 4 : kernel (CESA-2008:0972)	Nessus	CentOS Local Security Checks	medium
36069	RHEL 5 : kernel (RHSA-2009:0326)	Nessus	Red Hat Local Security Checks	high
35174	Debian DSA-1687-1 : linux-2.6 - denial of service/privilege escalation	Nessus	Debian Local Security Checks	high
35036	Debian DSA-1681-1 : linux-2.6.24 - denial of service/privilege escalation	Nessus	Debian Local Security Checks	critical
35026	SuSE 10 Security Update : Linux Kernel (x86) (ZYPP Patch Number 5734)	Nessus	SuSE Local Security Checks	medium
34841	RHEL 4 : kernel (RHSA-2008:0972)	Nessus	Red Hat Local Security Checks	medium
34755	openSUSE 10 Security Update : kernel (kernel-5751)	Nessus	SuSE Local Security Checks	critical
34457	openSUSE 10 Security Update : kernel (kernel-5700)	Nessus	SuSE Local Security Checks	critical
801466	CentOS RHSA-2009-0326 Security Check	Log Correlation Engine	Generic	high
801459	CentOS RHSA-2008-0972 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2008-3528

medium

Tenable Plugins

critical

high

high

medium

high

medium

medium

high

high

medium

high

high

medium

high

medium

high

high

critical

medium

medium

critical

critical

high

high