Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-0225 advisory.

    - [net] atm: prevent local denial of service (Eugene Teo ) [473701] {CVE-2008-5079}
    - [net] fix unix sockets kernel panic (Neil Horman ) [470436] {CVE-2008-5029}
    - [audit] race between inotify watch removal and unmount (Josef Bacik ) [472329] {CVE-2008-5182}
    - [video] uvc: buf overflow in format descriptor parsing (Jay Fenlason ) [470427] {CVE-2008-3496}
    - [x86] vDSO: use install_special_mapping (Peter Zijlstra ) [460276] {CVE-2008-3527}
    - [drm] i915 driver arbitrary ioremap (Eugene Teo ) [464509] {CVE-2008-3831}
    - [fs] dont allow splice to files opened with O_APPEND (Eugene Teo ) [466710] {CVE-2008-4554}
    - [net] sctp: INIT-ACK indicates no AUTH peer support oops (Eugene Teo ) [466082] {CVE-2008-4576}
    - [fs] open() allows setgid bit when user is not in group (Eugene Teo ) [463687] {CVE-2008-4210}
    - [xen] allow guests to hide the TSC from applications (Chris Lalancette ) [378481] {CVE-2007-5907}
    - [x86_64] xen: local DOS due to NT bit leakage (Eugene Teo ) [457722] {CVE-2006-5755}
    - [net] dccp_setsockopt_change integer overflow (Vitaly Mayatskikh ) [459235] {CVE-2008-3276}
    - [mm] optimize ZERO_PAGE in 'get_user_pages' and fix XIP (Anton Arapov ) [452668] {CVE-2008-2372}
    - [sound] snd_seq_oss_synth_make_info info leak (Eugene Teo ) [458001] {CVE-2008-3272}
    -  [mm] tmpfs: restore missing clear_highpage (Eugene Teo ) [426083]{CVE-2007-6417}
    - [fs] vfs: fix lookup on deleted directory (Eugene Teo ) [457866]{CVE-2008-3275}
    - [x86_64] zero the output of string inst on exception (Jiri Pirko ) [451276] {CVE-2008-2729}
    - [net] dccp: sanity check feature length (Anton Arapov ) [447396] {CVE-2008-2358}
    - [misc] buffer overflow in ASN.1 parsing routines (Anton Arapov ) [444465] {CVE-2008-1673}
    - [x86_64] write system call vulnerability (Anton Arapov ) [433945] {CVE-2008-0598}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2009:1550 :

Updated kernel packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise Linux 3.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue.
(CVE-2008-5029, Important)

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important)

* a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.
(CVE-2009-1895, Important)

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* missing initialization flaws were found in getname() implementations in the IrDA sockets, AppleTalk DDP protocol, NET/ROM protocol, and ROSE protocol implementations in the Linux kernel. Certain data structures in these getname() implementations were not initialized properly before being copied to user-space. These flaws could lead to an information leak. (CVE-2009-3002, Important)

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

Bug fixes :

* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer dereference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#512642)

* a bridge reference count problem in IPv6 has been fixed. (BZ#457010)

* enforce null-termination of user-supplied arguments to setsockopt().
(BZ#505514)

* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#511185)

* a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#520300)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2009:0014 :

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update addresses the following security issues :

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service.
(CVE-2008-5029, Important)

* a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low)

* the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

* a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low)

This update also fixes the following bugs :

* when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use.

* mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this.

* attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail.

* after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime.

* writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations.

* on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes.

* a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes.

* a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved.

* the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network.

* the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization.

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.

Updated kernel packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise Linux 3.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue.
(CVE-2008-5029, Important)

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important)

* a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.
(CVE-2009-1895, Important)

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* missing initialization flaws were found in getname() implementations in the IrDA sockets, AppleTalk DDP protocol, NET/ROM protocol, and ROSE protocol implementations in the Linux kernel. Certain data structures in these getname() implementations were not initialized properly before being copied to user-space. These flaws could lead to an information leak. (CVE-2009-3002, Important)

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

Bug fixes :

* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer dereference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#512642)

* a bridge reference count problem in IPv6 has been fixed. (BZ#457010)

* enforce null-termination of user-supplied arguments to setsockopt().
(BZ#505514)

* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#511185)

* a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#520300)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5.2 Extended Update Support.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update includes backported fixes for four security issues. These issues only affected users of Red Hat Enterprise Linux 5.2 Extended Update Support as they have already been addressed for users of Red Hat Enterprise Linux 5 in the 5.3 update, RHSA-2009:0225.

In accordance with the support policy, future security updates to Red Hat Enterprise Linux 5.2 Extended Update Support will only include issues of critical security impact.

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue.
(CVE-2008-5029, Important)

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem.
A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service.
(CVE-2008-5079, Important)

* a race condition was found in the Linux kernel 'inotify' watch removal and umount implementation. This could allow a local, unprivileged user to cause a privilege escalation or a denial of service. (CVE-2008-5182, Important)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted.

CVE-2008-5029 kernel: Unix sockets kernel panic

CVE-2008-5300 kernel: fix soft lockups/OOM issues with unix socket garbage collector

CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check

CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service

CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID

CVE-2009-2848 kernel: execve: must clear current->clear_child_tid

CVE-2009-3001, CVE-2009-3002 kernel: numerous getname() infoleaks 520300 - kernel: ipv4: make ip_append_data() handle NULL routing table [rhel-3]

CVE-2009-3547 kernel: fs: pipe.c NULL pointer dereference

Security fixes :

  - when fput() was called to close a socket, the
    __scm_destroy() function in the Linux kernel could make     indirect recursive calls to itself. This     could,potentially, lead to a denial of service issue.
    (CVE-2008-5029, Important)

  - the sendmsg() function in the Linux kernel did not block     during UNIX socket garbage collection. This could,     potentially, lead to a local denial of service.
    (CVE-2008-5300, Important)

  - the exit_notify() function in the Linux kernel did not     properly reset the exit signal if a process executed a     set user ID (setuid) application before exiting. This     could allow a local, unprivileged user to elevate their     privileges. (CVE-2009-1337, Important)

  - a flaw was found in the Intel PRO/1000 network driver in     the Linux kernel. Frames with sizes near the MTU of an     interface may be split across multiple hardware receive     descriptors. Receipt of such a frame could leak through     a validation check, leading to a corruption of the     length check. A remote attacker could use this flaw to     send a specially crafted packet that would cause a     denial of service or code execution. (CVE-2009-1385,     Important)

  - the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not     cleared when a setuid or setgid program was executed. A     local, unprivileged user could use this flaw to bypass     the mmap_min_addr protection mechanism and perform a     NULL pointer dereference attack, or bypass the Address     Space Layout Randomization (ASLR) security feature.
    (CVE-2009-1895, Important)

  - it was discovered that, when executing a new process,     the clear_child_tid pointer in the Linux kernel is not     cleared. If this pointer points to a writable portion of     the memory of the new program, the kernel could corrupt     four bytes of memory, possibly leading to a local denial     of service or privilege escalation. (CVE-2009-2848,     Important)

  - missing initialization flaws were found in getname()     implementations in the IrDA sockets, AppleTalk DDP     protocol, NET/ROM protocol, and ROSE protocol     implementations in the Linux kernel. Certain data     structures in these getname() implementations were not     initialized properly before being copied to user-space.
    These flaws could lead to an information leak.
    (CVE-2009-3002, Important)

  - a NULL pointer dereference flaw was found in each of the     following functions in the Linux kernel:
    pipe_read_open(), pipe_write_open(), and     pipe_rdwr_open(). When the mutex lock is not held, the     i_pipe pointer could be released by other processes     before it is used to update the pipe's reader and writer     counters. This could lead to a local denial of service     or privilege escalation. (CVE-2009-3547, Important)

Bug fixes :

  - this update adds the mmap_min_addr tunable and     restriction checks to help prevent unprivileged users     from creating new memory mappings below the minimum     address. This can help prevent the exploitation of NULL     pointer dereference bugs. Note that mmap_min_addr is set     to zero (disabled) by default for backwards     compatibility. (BZ#512642)

  - a bridge reference count problem in IPv6 has been fixed.
    (BZ#457010)

  - enforce null-termination of user-supplied arguments to     setsockopt(). (BZ#505514)

  - the gcc flag '-fno-delete-null-pointer-checks' was added     to the kernel build options. This prevents gcc from     optimizing out NULL pointer checks after the first use     of a pointer. NULL pointer bugs are often exploited by     attackers. Keeping these checks is a safety measure.
    (BZ#511185)

  - a check has been added to the IPv4 code to make sure     that rt is not NULL, to help prevent future bugs in     functions that call ip_append_data() from being     exploitable. (BZ#520300)

The system must be rebooted for this update to take effect.

This update addresses the following security issues :

  - the sendmsg() function in the Linux kernel did not block     during UNIX socket garbage collection. This could,     potentially, lead to a local denial of service.
    (CVE-2008-5300, Important)

  - when fput() was called to close a socket, the
    __scm_destroy() function in the Linux kernel could make     indirect recursive calls to itself. This could,     potentially, lead to a local denial of service.
    (CVE-2008-5029, Important)

  - a deficiency was found in the Linux kernel virtual file     system (VFS) implementation. This could allow a local,     unprivileged user to make a series of file creations     within deleted directories, possibly causing a denial of     service. (CVE-2008-3275, Moderate)

  - a buffer underflow flaw was found in the Linux kernel     IB700 SBC watchdog timer driver. This deficiency could     lead to a possible information leak. By default, the     '/dev/watchdog' device is accessible only to the root     user. (CVE-2008-5702, Low)

  - the hfs and hfsplus file systems code failed to properly     handle corrupted data structures. This could,     potentially, lead to a local denial of service.
    (CVE-2008-4933, CVE-2008-5025, Low)

  - a flaw was found in the hfsplus file system     implementation. This could, potentially, lead to a local     denial of service when write operations were performed.
    (CVE-2008-4934, Low)

This update also fixes the following bugs :

  - when running Red Hat Enterprise Linux 4.6 and 4.7 on     some systems running Intel&reg; CPUs, the cpuspeed     daemon did not run, preventing the CPU speed from being     changed, such as not being reduced to an idle state when     not in use.

  - mmap() could be used to gain access to beyond the first     megabyte of RAM, due to insufficient checks in the Linux     kernel code. Checks have been added to prevent this.

  - attempting to turn keyboard LEDs on and off rapidly on     keyboards with slow keyboard controllers, may have     caused key presses to fail.

  - after migrating a hypervisor guest, the MAC address     table was not updated, causing packet loss and     preventing network connections to the guest. Now, a     gratuitous ARP request is sent after migration. This     refreshes the ARP caches, minimizing network downtime.

  - writing crash dumps with diskdump may have caused a     kernel panic on Non-Uniform Memory Access (NUMA) systems     with certain memory configurations.

  - on big-endian systems, such as PowerPC, the getsockopt()     function incorrectly returned 0 depending on the     parameters passed to it when the time to live (TTL)     value equaled 255, possibly causing memory corruption     and application crashes.

  - a problem in the kernel packages provided by the     RHSA-2008:0508 advisory caused the Linux kernel's     built-in memory copy procedure to return the wrong error     code after recovering from a page fault on AMD64 and     Intel 64 systems. This may have caused other Linux     kernel functions to return wrong error codes.

  - a divide-by-zero bug in the Linux kernel process     scheduler, which may have caused kernel panics on     certain systems, has been resolved.

  - the netconsole kernel module caused the Linux kernel to     hang when slave interfaces of bonded network interfaces     were started, resulting in a system hang or kernel panic     when restarting the network.

  - the '/proc/xen/' directory existed even if systems were     not running Red Hat Virtualization. This may have caused     problems for third-party software that checks     virtualization-ability based on the existence of     '/proc/xen/'. Note: this update will remove the     '/proc/xen/' directory on systems not running Red Hat     Virtualization.

This updated kernel-utils package adds an enhancement in the way of proper support for user-space frequency-scaling on multi-core systems.

a. Service Console update for COS kernel

   The service console package kernel is updated to version 2.4.21-63.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-5029, CVE-2008-5300, CVE-2009-1337,    CVE-2009-1385, CVE-2009-1895, CVE-2009-2848, CVE-2009-3002, and    CVE-2009-3547 to the security issues fixed in kernel-2.4.21-63.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-2698, CVE-2009-2692 to the security    issues fixed in kernel-2.4.21-60.

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update addresses the following security issues :

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service.
(CVE-2008-5029, Important)

* a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low)

* the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

* a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low)

This update also fixes the following bugs :

* when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use.

* mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this.

* attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail.

* after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime.

* writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations.

* on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes.

* a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes.

* a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved.

* the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network.

* the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization.

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.

This update fixes various security issues and several bugs in the openSUSE 11.0 kernel. It was also updated to the stable version 2.6.25.20.

CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

CVE-2008-5700: libata did not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.

CVE-2008-5079: net/atm/svc.c in the ATM subsystem allowed local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.

CVE-2008-5300: Linux kernel 2.6.28 allows local users to cause a denial of service ('soft lockup' and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.

CVE-2008-5029: The __scm_destroy function in net/core/scm.c makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.

CVE-2008-4933: Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.

CVE-2008-5025: Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.

CVE-2008-5182: The inotify functionality might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.

CVE-2008-3831: The i915 driver in drivers/char/drm/i915_dma.c does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration.

CVE-2008-4554: The do_splice_from function in fs/splice.c did not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.

Update kernel from version 2.6.27.7 to 2.6.27.9:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.9 Also includes three critical fixes scheduled for 2.6.27.10 Update applesmc driver to latest upstream version. (Adds module autoloading.) Update ALSA audio drivers to version 1.0.18a. (See www.alsa-project.org for details.) Security fixes: CVE-2008-5079 in 2.6.27.9 CVE-2008-5182 in 2.6.27.8 CVE-2008-5300 in 2.6.27.8

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table. (CVE-2008-5079)

Linux kernel 2.6.28 allows local users to cause a denial of service (soft lockup and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. (CVE-2008-5300)

Additionaly, wireless and hotkeys support for Asus EEE were fixed, systems with HDA sound needing MSI support were added to the quirks list to be autodetected, STAC92HD71Bx and STAC92HD75Bx based HDA support was enhanced and fixed, support for HDA sound on Acer Aspire 8930 was added, Dell Inspiron Mini 9 HDA sound support was added, CIFS filesystem should now work with Kerberos, and a few more things. Check the package changelog for details.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Hugo Dias discovered that the ATM subsystem did not correctly manage socket counts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5079)

It was discovered that the libertas wireless driver did not correctly handle beacon and probe responses. A physically near-by attacker could generate specially crafted wireless network traffic and cause a denial of service. Ubuntu 6.06 was not affected. (CVE-2008-5134)

It was discovered that the inotify subsystem contained watch removal race conditions. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-5182)

Dann Frazier discovered that in certain situations sendmsg did not correctly release allocated memory. A local attacker could exploit this to force the system to run out of free memory, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2008-5300)

It was discovered that the ATA subsystem did not correctly set timeouts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5700)

It was discovered that the ib700 watchdog timer did not correctly check buffer sizes. A local attacker could send a specially crafted ioctl to the device to cause a system crash, leading to a denial of service. (CVE-2008-5702)

It was discovered that in certain situations the network scheduler did not correctly handle very large levels of traffic. A local attacker could produce a high volume of UDP traffic resulting in a system hang, leading to a denial of service. Ubuntu 8.04 was not affected.
(CVE-2008-5713).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Hugo Dias discovered that the ATM subsystem did not correctly manage socket counts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5079)

It was discovered that the inotify subsystem contained watch removal race conditions. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-5182)

Dann Frazier discovered that in certain situations sendmsg did not correctly release allocated memory. A local attacker could exploit this to force the system to run out of free memory, leading to a denial of service. (CVE-2008-5300)

Helge Deller discovered that PA-RISC stack unwinding was not handled correctly. A local attacker could exploit this to crash the system, leading do a denial of service. This did not affect official Ubuntu kernels, but was fixed in the source for anyone performing HPPA kernel builds. (CVE-2008-5395)

It was discovered that the ATA subsystem did not correctly set timeouts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5700)

It was discovered that the ib700 watchdog timer did not correctly check buffer sizes. A local attacker could send a specially crafted ioctl to the device to cause a system crash, leading to a denial of service. (CVE-2008-5702).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix three security issues, address several hundred bugs and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the third regular update.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel (the core of the Linux operating system)

These updated packages contain 730 bug fixes and enhancements for the Linux kernel. Space precludes a detailed description of each of these changes in this advisory and users are therefore directed to the release notes for Red Hat Enterprise Linux 5.3 for information on 97 of the most significant of these changes.

Details of three security-related bug fixes are set out below, along with notes on other broad categories of change not covered in the release notes. For more detailed information on specific bug fixes or enhancements, please consult the Bugzilla numbers listed in this advisory.

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue.
(CVE-2008-5029, Important)

* a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem.
A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service.
(CVE-2008-5079, Important)

* a race condition was found in the Linux kernel 'inotify' watch removal and umount implementation. This could allow a local, unprivileged user to cause a privilege escalation or a denial of service. (CVE-2008-5182, Important)

* Bug fixes and enhancements are provided for :

* support for specific NICs, including products from the following manufacturers: Broadcom Chelsio Cisco Intel Marvell NetXen Realtek Sun

* Fiber Channel support, including support for Qlogic qla2xxx, qla4xxx, and qla84xx HBAs and the FCoE, FCP, and zFCP protocols.

* support for various CPUs, including: AMD Opteron processors with 45 nm SOI ('Shanghai') AMD Turion Ultra processors Cell processors Intel Core i7 processors

* Xen support, including issues specific to the IA64 platform, systems using AMD processors, and Dell Optiplex GX280 systems

* ext3, ext4, GFS2, NFS, and SPUFS

* Infiniband (including eHCA, eHEA, and IPoIB) support

* common I/O (CIO), direct I/O (DIO), and queued direct I/O (qdio) support

* the kernel distributed lock manager (DLM)

* hardware issues with: SCSI, IEEE 1394 (FireWire), RAID (including issues specific to Adaptec controllers), SATA (including NCQ), PCI, audio, serial connections, tape-drives, and USB

* ACPI, some of a general nature and some related to specific hardware including: certain Lenovo Thinkpad notebooks, HP DC7700 systems, and certain machines based on Intel Centrino processor technology.

* CIFS, including Kerberos support and a tech-preview of DFS support

* networking support, including IPv6, PPPoE, and IPSec

* support for Intel chipsets, including: Intel Cantiga chipsets Intel Eagle Lake chipsets Intel i915 chipsets Intel i965 chipsets Intel Ibex Peak chipsets Intel chipsets offering QuickPath Interconnects (QPI)

* device mapping issues, including some in device mapper itself

* various issues specific to IA64 and PPC

* CCISS, including support for Compaq SMART Array controllers P711m and P712m and other new hardware

* various issues affecting specific HP systems, including: DL785G5 XW4800 XW8600 XW8600 XW9400

* IOMMU support, including specific issues with AMD and IBM Calgary hardware

* the audit subsystem

* DASD support

* iSCSI support, including issues specific to Chelsio T3 adapters

* LVM issues

* SCTP management information base (MIB) support

* issues with: autofs, kdump, kobject_add, libata, lpar, ptrace, and utrace

* IBM Power platforms using Enhanced I/O Error Handling (EEH)

* EDAC issues for AMD K8 and Intel i5000

* ALSA, including support for new hardware

* futex support

* hugepage support

* Intelligent Platform Management Interface (IPMI) support

* issues affecting NEC/Stratus servers

* OFED support

* SELinux

* various Virtio issues

All users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3528     Eugene Teo reported a local DoS issue in the ext2 and     ext3 filesystems. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a corrupted filesystem that causes the kernel     to output error messages in an infinite loop.

  - CVE-2008-4554     Milos Szeredi reported that the usage of splice() on     files opened with O_APPEND allows users to write to the     file at arbitrary offsets, enabling a bypass of possible     assumed semantics of the O_APPEND flag.

  - CVE-2008-4576     Vlad Yasevich reported an issue in the SCTP subsystem     that may allow remote users to cause a local DoS by     triggering a kernel oops.

  - CVE-2008-4618     Wei Yongjun reported an issue in the SCTP subsystem that     may allow remote users to cause a local DoS by     triggering a kernel panic.

  - CVE-2008-4933     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that causes the     kernel to overrun a buffer, resulting in a system oops     or memory corruption.

  - CVE-2008-4934     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that results in a     kernel oops due to an unchecked return value.

  - CVE-2008-5025     Eric Sesterhenn reported a local DoS issue in the hfs     filesystem. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a filesystem with a corrupted catalog name     length, resulting in a system oops or memory corruption.

  - CVE-2008-5029     Andrea Bittau reported a DoS issue in the unix socket     subsystem that allows a local user to cause memory     corruption, resulting in a kernel panic.

  - CVE-2008-5134     Johannes Berg reported a remote DoS issue in the     libertas wireless driver, which can be triggered by a     specially crafted beacon/probe response.

  - CVE-2008-5182     Al Viro reported race conditions in the inotify     subsystem that may allow local users to acquire elevated     privileges.

  - CVE-2008-5300     Dann Frazier reported a DoS condition that allows local     users to cause the out of memory handler to kill off     privileged processes or trigger soft lockups due to a     starvation issue in the unix socket subsystem.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-0014.

ID	Name	Product	Family	Severity
180612	Oracle Linux 5 : Oracle / Enterprise / Linux / 5.3 / kernel (ELSA-2009-0225)	Nessus	Oracle Linux Local Security Checks	medium
67955	Oracle Linux 3 : kernel (ELSA-2009-1550)	Nessus	Oracle Linux Local Security Checks	high
67790	Oracle Linux 4 : kernel (ELSA-2009-0014)	Nessus	Oracle Linux Local Security Checks	high
67070	CentOS 3 : kernel (CESA-2009:1550)	Nessus	CentOS Local Security Checks	high
63871	RHEL 5 : kernel (RHSA-2009:0021)	Nessus	Red Hat Local Security Checks	medium
60688	Scientific Linux Security Update : kernel on SL3.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60520	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
47150	VMSA-2010-0010 : ESX 3.5 third-party update for Service Console kernel	Nessus	VMware ESX Local Security Checks	high
43727	CentOS 4 : kernel (CESA-2009:0014)	Nessus	CentOS Local Security Checks	high
42360	RHEL 3 : kernel (RHSA-2009:1550)	Nessus	Red Hat Local Security Checks	high
40011	openSUSE Security Update : kernel (kernel-423)	Nessus	SuSE Local Security Checks	high
37568	Fedora 10 : kernel-2.6.27.9-159.fc10 (2008-11593)	Nessus	Fedora Local Security Checks	medium
37078	Mandriva Linux Security Advisory : kernel (MDVSA-2009:032)	Nessus	Mandriva Local Security Checks	medium
36454	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : linux-source-2.6.15/22, linux vulnerabilities (USN-714-1)	Nessus	Ubuntu Local Security Checks	critical
36279	Ubuntu 8.10 : linux vulnerabilities (USN-715-1)	Nessus	Ubuntu Local Security Checks	high
35434	RHEL 5 : kernel (RHSA-2009:0225)	Nessus	Red Hat Local Security Checks	medium
35381	RHEL 4 : kernel (RHSA-2009:0014)	Nessus	Red Hat Local Security Checks	high
35264	Fedora 9 : kernel-2.6.27.9-73.fc9 (2008-11618)	Nessus	Fedora Local Security Checks	medium
35036	Debian DSA-1681-1 : linux-2.6.24 - denial of service/privilege escalation	Nessus	Debian Local Security Checks	critical
801465	CentOS RHSA-2009-0014 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2008-5300

medium

Tenable Plugins

medium

high

high

high

medium

high

high

high

high

high

high

medium

medium

critical

high

medium

high

medium

critical

high