The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-1243 advisory.

  - The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28     before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs)     operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted     values to be present in available memory. (CVE-2009-0745)

  - The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28     before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of     service (OOPS) by attempting to mount a crafted ext4 filesystem. (CVE-2009-0746)

  - The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before     2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows     local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount     a crafted ext4 filesystem. (CVE-2009-0747)

  - The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28     before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial     of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.
    (CVE-2009-0748)

  - The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before     2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which     allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.
    (CVE-2009-2847)

  - The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the     current->clear_child_tid pointer, which allows local users to cause a denial of service (memory     corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or     CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.
    (CVE-2009-2848)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Geronimo
  - Apache Tomcat
  - Apache Xerces2
  - cURL/libcURL
  - ISC BIND
  - Libxml2
  - Linux kernel
  - Linux kernel 64-bit
  - Linux kernel Common Internet File System
  - Linux kernel eCryptfs
  - NTP
  - Python
  - Java Runtime Environment (JRE)
  - Java SE Development Kit (JDK)
  - Java SE Abstract Window Toolkit (AWT)
  - Java SE Plugin
  - Java SE Provider
  - Java SE Swing
  - Java SE Web Start

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details.

From Red Hat Security Advisory 2009:1438 :

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.
(CVE-2009-1895, Important)

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions. (CVE-2009-1883, Moderate)

* a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak.
(CVE-2009-2847, Moderate)

This update also fixes the following bugs :

* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#517964)

* the Emulex LPFC driver has been updated to version 8.0.16.47, which fixes a memory leak that caused memory allocation failures and system hangs. (BZ#513192)

* an error in the MPT Fusion driver makefile caused CSMI ioctls to not work with Serial Attached SCSI devices. (BZ#516184)

* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer deference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#517904)

* time-outs resulted in I/O errors being logged to '/var/log/messages' when running 'mt erase' on tape drives using certain LSI MegaRAID SAS adapters, preventing the command from completing. The megaraid_sas driver's timeout value is now set to the OS layer value. (BZ#517965)

* a locking issue caused the qla2xxx ioctl module to hang after encountering errors. This locking issue has been corrected. This ioctl module is used by the QLogic SAN management tools, such as SANsurfer and scli. (BZ#519428)

* when a RAID 1 array that uses the mptscsi driver and the LSI 1030 controller became degraded, the whole array was detected as being offline, which could cause kernel panics at boot or data loss.
(BZ#517295)

* on 32-bit architectures, if a file was held open and frequently written for more than 25 days, it was possible that the kernel would stop flushing those writes to storage. (BZ#515255)

* a memory allocation bug in ib_mthca prevented the driver from loading if it was loaded with large values for the 'num_mpt=' and 'num_mtt=' options. (BZ#518707)

* with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#519692)

* a bug in __ptrace_unlink() caused it to create deadlocked and unkillable processes. (BZ#519446)

* previously, multiple threads using the fcntl() F_SETLK command to synchronize file access caused a deadlock in posix_locks_deadlock().
This could cause a system hang. (BZ#519429)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 5.3 Extended Update Support.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update includes backported fixes for two security issues. These issues only affected users of Red Hat Enterprise Linux 5.3 Extended Update Support as they have already been addressed for users of Red Hat Enterprise Linux 5 in the 5.4 update, RHSA-2009:1243.

In accordance with the support policy, future security updates to Red Hat Enterprise Linux 5.3 Extended Update Support will only include issues of critical security impact.

This update fixes the following security issues :

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak.
(CVE-2009-2847, Moderate)

This update also fixes the following bugs :

* a regression was found in the SCSI retry logic: SCSI mode select was not retried when retryable errors were encountered. In Device-Mapper Multipath environments, this could cause paths to fail, or possibly prevent successful failover. (BZ#506905)

* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers, and keeping these checks is considered a safety measure. (BZ#515468)

* due to incorrect APIC timer calibration, a system hang could have occurred while booting certain systems. This incorrect timer calibration could have also caused the system time to become faster or slower. With this update, it is still possible for APIC timer calibration issues to occur; however, a clear warning is now provided if they do. (BZ#521237)

* gettimeofday() experienced poor performance (which caused performance problems for applications using gettimeofday()) when running on hypervisors that use hardware assisted virtualization. With this update, MFENCE/LFENCE is used instead of CPUID for gettimeofday() serialization, which resolves this issue. (BZ#523280)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-2846     Michael Buesch noticed a typing issue in the eisa-eeprom     driver for the hppa architecture. Local users could     exploit this issue to gain access to restricted memory.

  - CVE-2009-2847     Ulrich Drepper noticed an issue in the do_sigalstack     routine on 64-bit systems. This issue allows local users     to gain access to potentially sensitive memory on the     kernel stack.

  - CVE-2009-2848     Eric Dumazet discovered an issue in the execve path,     where the clear_child_tid variable was not being     properly cleared. Local users could exploit this issue     to cause a denial of service (memory corruption).

  - CVE-2009-2849     Neil Brown discovered an issue in the sysfs interface to     md devices. When md arrays are not active, local users     can exploit this vulnerability to cause a denial of     service (oops).

  - CVE-2009-2903     Mark Smith discovered a memory leak in the appletalk     implementation. When the appletalk and ipddp modules are     loaded, but no ipddp'N' device is found, remote     attackers can cause a denial of service by consuming     large amounts of system memory.

  - CVE-2009-2908     Loic Minier discovered an issue in the eCryptfs     filesystem. A local user can cause a denial of service     (kernel oops) by causing a dentry value to go negative.

  - CVE-2009-2909     Arjan van de Ven discovered an issue in the AX.25     protocol implementation. A specially crafted call to     setsockopt() can result in a denial of service (kernel     oops).

  - CVE-2009-2910     Jan Beulich discovered the existence of a sensitive     kernel memory leak. Systems running the 'amd64' kernel     do not properly sanitize registers for 32-bit processes.

  - CVE-2009-3001     Jiri Slaby fixed a sensitive memory leak issue in the     ANSI/IEEE 802.2 LLC implementation. This is not     exploitable in the Debian lenny kernel as root     privileges are required to exploit this issue.

  - CVE-2009-3002     Eric Dumazet fixed several sensitive memory leaks in the     IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and     Controller Area Network (CAN) implementations. Local     users can exploit these issues to gain access to kernel     memory.

  - CVE-2009-3228     Eric Dumazet reported an instance of uninitialized     kernel memory in the network packet scheduler. Local     users may be able to exploit this issue to read the     contents of sensitive kernel memory.

  - CVE-2009-3238     Linus Torvalds provided a change to the get_random_int()     function to increase its randomness.

  - CVE-2009-3286     Eric Paris discovered an issue with the NFSv4 server     implementation. When an O_EXCL create fails, files may     be left with corrupted permissions, possibly granting     unintentional privileges to other local users.

  - CVE-2009-3547     Earl Chew discovered a NULL pointer dereference issue in     the pipe_rdwr_open function which can be used by local     users to gain elevated privileges.

  - CVE-2009-3612     Jiri Pirko discovered a typo in the initialization of a     structure in the netlink subsystem that may allow local     users to gain access to sensitive kernel memory.

  - CVE-2009-3613     Alistair Strachan reported an issue in the r8169 driver.
    Remote users can cause a denial of service (IOMMU space     exhaustion and system crash) by transmitting a large     amount of jumbo frames.

  - CVE-2009-3620     Ben Hutchings discovered an issue in the DRM manager for     ATI Rage 128 graphics adapters. Local users may be able     to exploit this vulnerability to cause a denial of     service (NULL pointer dereference).

  - CVE-2009-3621     Tomoki Sekiyama discovered a deadlock condition in the     UNIX domain socket implementation. Local users can     exploit this vulnerability to cause a denial of service     (system hang).

Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation or a leak of sensitive memory. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-2698     Herbert Xu discovered an issue in the way UDP tracks     corking status that could allow local users to cause a     denial of service (system crash). Tavis Ormandy and     Julien Tinnes discovered that this issue could also be     used by local users to gain elevated privileges.

  - CVE-2009-2846     Michael Buesch noticed a typing issue in the eisa-eeprom     driver for the hppa architecture. Local users could     exploit this issue to gain access to restricted memory.

  - CVE-2009-2847     Ulrich Drepper noticed an issue in the do_sigalstack     routine on 64-bit systems. This issue allows local users     to gain access to potentially sensitive memory on the     kernel stack.

  - CVE-2009-2848     Eric Dumazet discovered an issue in the execve path,     where the clear_child_tid variable was not being     properly cleared. Local users could exploit this issue     to cause a denial of service (memory corruption).

  - CVE-2009-2849     Neil Brown discovered an issue in the sysfs interface to     md devices. When md arrays are not active, local users     can exploit this vulnerability to cause a denial of     service (oops).

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.
(CVE-2009-1895, Important)

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions. (CVE-2009-1883, Moderate)

* a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak.
(CVE-2009-2847, Moderate)

This update also fixes the following bugs :

* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#517964)

* the Emulex LPFC driver has been updated to version 8.0.16.47, which fixes a memory leak that caused memory allocation failures and system hangs. (BZ#513192)

* an error in the MPT Fusion driver makefile caused CSMI ioctls to not work with Serial Attached SCSI devices. (BZ#516184)

* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer deference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#517904)

* time-outs resulted in I/O errors being logged to '/var/log/messages' when running 'mt erase' on tape drives using certain LSI MegaRAID SAS adapters, preventing the command from completing. The megaraid_sas driver's timeout value is now set to the OS layer value. (BZ#517965)

* a locking issue caused the qla2xxx ioctl module to hang after encountering errors. This locking issue has been corrected. This ioctl module is used by the QLogic SAN management tools, such as SANsurfer and scli. (BZ#519428)

* when a RAID 1 array that uses the mptscsi driver and the LSI 1030 controller became degraded, the whole array was detected as being offline, which could cause kernel panics at boot or data loss.
(BZ#517295)

* on 32-bit architectures, if a file was held open and frequently written for more than 25 days, it was possible that the kernel would stop flushing those writes to storage. (BZ#515255)

* a memory allocation bug in ib_mthca prevented the driver from loading if it was loaded with large values for the 'num_mpt=' and 'num_mtt=' options. (BZ#518707)

* with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#519692)

* a bug in __ptrace_unlink() caused it to create deadlocked and unkillable processes. (BZ#519446)

* previously, multiple threads using the fcntl() F_SETLK command to synchronize file access caused a deadlock in posix_locks_deadlock().
This could cause a system hang. (BZ#519429)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix security issues, address several hundred bugs and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the fourth regular update.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated packages fix the following security issues :

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak.
(CVE-2009-2847, Moderate)

* a flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by performing a resize operation on a specially crafted ext4 file system.
(CVE-2009-0745, Low)

* multiple flaws were found in the ext4 file system code. A local attacker could use these flaws to cause a denial of service by mounting a specially crafted ext4 file system. (CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, Low)

These updated packages also include several hundred bug fixes for and enhancements to the Linux kernel. Space precludes documenting each of these changes in this advisory and users are directed to the Red Hat Enterprise Linux 5.4 Release Notes for information on the most significant of these changes :

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/ Release_Notes/

Also, for details concerning every bug fixed in and every enhancement added to the kernel for this release, see the kernel chapter in the Red Hat Enterprise Linux 5.4 Technical Notes :

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/ Technical_Notes/kernel.html

All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which address these vulnerabilities as well as fixing the bugs and adding the enhancements noted in the Red Hat Enterprise Linux 5.4 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

a. JRE Security Update

  JRE update to version 1.5.0_20, which addresses multiple security   issues that existed in earlier releases of JRE.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,   CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,   CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,   CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

b. Update Apache Tomcat version

  Update for VirtualCenter and ESX patch update the Tomcat package to   version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)   which addresses multiple security issues that existed   in the previous version of Apache Tomcat.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,   CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.18:  CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.16:  CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,   CVE-2007-6286, CVE-2008-0002.
  c. Third-party library update for ntp.
   The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the   following security issue. Note that the same security issue is   present in the ESX Service Console as described in section d. of   this advisory.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   The NTP security issue identified by CVE-2009-0159 is not relevant   for ESXi 3.5 and ESXi 4.0.
 d. Service Console update for ntp

  Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2    The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   The Service Console present in ESX is affected by the following   security issues.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   NTP authentication is not enabled by default on the Service Console.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   A buffer overflow flaw was found in the ntpq diagnostic command. A   malicious, remote server could send a specially crafted reply to an   ntpq request that could crash ntpq or, potentially, execute   arbitrary code with the privileges of the user running the ntpq   command.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-0159 to this issue.
  e. Updated Service Console package kernel

  Updated Service Console package kernel addresses the security   issues listed below.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,   CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,   CVE-2009-0778 to the security issues fixed in kernel   2.6.18-128.1.6.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,   CVE-2009-0787, CVE-2009-1336 to the security issues fixed in   kernel 2.6.18-128.1.10.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,   CVE-2009-1630, CVE-2009-1192 to the security issues fixed in   kernel 2.6.18-128.1.14.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,   CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the   security issues fixed in kernel 2.6.18-128.4.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2692, CVE-2009-2698 to the   security issues fixed in kernel 2.6.18-128.7.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,   CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues   fixed in kernel 2.6.18-164.

 f. Updated Service Console package python

  Service Console package Python update to version 2.4.3-24.el5.

  When the assert() system call was disabled, an input sanitization   flaw was revealed in the Python string object implementation that   led to a buffer overflow. The missing check for negative size values   meant the Python memory allocator could allocate less memory than   expected. This could result in arbitrary code execution with the   Python interpreter's privileges.

  Multiple buffer and integer overflow flaws were found in the Python   Unicode string processing and in the Python Unicode and string   object implementations. An attacker could use these flaws to cause   a denial of service.

  Multiple integer overflow flaws were found in the Python imageop   module. If a Python application used the imageop module to   process untrusted images, it could cause the application to   disclose sensitive information, crash or, potentially, execute   arbitrary code with the Python interpreter's privileges.

  Multiple integer underflow and overflow flaws were found in the   Python snprintf() wrapper implementation. An attacker could use   these flaws to cause a denial of service (memory corruption).

  Multiple integer overflow flaws were found in various Python   modules. An attacker could use these flaws to cause a denial of   service.

  An integer signedness error, leading to a buffer overflow, was   found in the Python zlib extension module. If a Python application   requested the negative byte count be flushed for a decompression   stream, it could cause the application to crash or, potentially,   execute arbitrary code with the Python interpreter's privileges.

  A flaw was discovered in the strxfrm() function of the Python   locale module. Strings generated by this function were not properly   NULL-terminated, which could possibly cause disclosure of data   stored in the memory of a Python application using this function.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721   CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143   CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.

 g. Updated Service Console package bind

  Service Console package bind updated to version 9.3.6-4.P1.el5

  The Berkeley Internet Name Domain (BIND) is an implementation of the   Domain Name System (DNS) protocols. BIND includes a DNS server   (named); a resolver library (routines for applications to use when   interfacing with DNS); and tools for verifying that the DNS server   is operating correctly.

  A flaw was found in the way BIND handles dynamic update message   packets containing the 'ANY' record type. A remote attacker could   use this flaw to send a specially crafted dynamic update packet   that could cause named to exit with an assertion failure.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-0696 to this issue.

 h. Updated Service Console package libxml2

  Service Console package libxml2 updated to version 2.6.26-2.1.2.8.

  libxml is a library for parsing and manipulating XML files. A   Document Type Definition (DTD) defines the legal syntax (and also   which elements can be used) for certain types of files, such as XML   files.

  A stack overflow flaw was found in the way libxml processes the   root XML document element definition in a DTD. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  Multiple use-after-free flaws were found in the way libxml parses   the Notation and Enumeration attribute types. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2414 and CVE-2009-2416 to these   issues.

 i. Updated Service Console package curl

  Service Console package curl updated to version 7.15.5-2.1.el5_3.5

  A cURL is affected by the previously published 'null prefix attack',   caused by incorrect handling of NULL characters in X.509   certificates. If an attacker is able to get a carefully-crafted   certificate signed by a trusted Certificate Authority, the attacker   could use the certificate during a man-in-the-middle attack and   potentially confuse cURL into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2417 to this issue

 j. Updated Service Console package gnutls

  Service Console package gnutil updated to version 1.4.1-3.el5_3.5

  A flaw was discovered in the way GnuTLS handles NULL characters in   certain fields of X.509 certificates. If an attacker is able to get   a carefully-crafted certificate signed by a Certificate Authority   trusted by an application using GnuTLS, the attacker could use the   certificate during a man-in-the-middle attack and potentially   confuse the application into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2730 to this issue

Solar Designer discovered that the z90crypt driver did not correctly check capabilities. A local attacker could exploit this to shut down the device, leading to a denial of service. Only affected Ubuntu 6.06.
(CVE-2009-1883)

Michael Buesch discovered that the SGI GRU driver did not correctly check the length when setting options. A local attacker could exploit this to write to the kernel stack, leading to root privilege escalation or a denial of service. Only affected Ubuntu 8.10 and 9.04.
(CVE-2009-2584)

It was discovered that SELinux did not fully implement the mmap_min_addr restrictions. A local attacker could exploit this to allocate the NULL memory page which could lead to further attacks against kernel NULL-dereference vulnerabilities. Ubuntu 6.06 was not affected. (CVE-2009-2695)

Cagri Coltekin discovered that the UDP stack did not correctly handle certain flags. A local user could send specially crafted commands and traffic to gain root privileges or crash the systeam, leading to a denial of service. Only affected Ubuntu 6.06. (CVE-2009-2698)

Hiroshi Shimamoto discovered that monotonic timers did not correctly validate parameters. A local user could make a specially crafted timer request to gain root privileges or crash the system, leading to a denial of service. Only affected Ubuntu 9.04. (CVE-2009-2767)

Michael Buesch discovered that the HPPA ISA EEPROM driver did not correctly validate positions. A local user could make a specially crafted request to gain root privileges or crash the system, leading to a denial of service. (CVE-2009-2846)

Ulrich Drepper discovered that kernel signal stacks were not being correctly padded on 64-bit systems. A local attacker could send specially crafted calls to expose 4 bytes of kernel stack memory, leading to a loss of privacy. (CVE-2009-2847)

Jens Rosenboom discovered that the clone method did not correctly clear certain fields. A local attacker could exploit this to gain privileges or crash the system, leading to a denial of service.
(CVE-2009-2848)

It was discovered that the MD driver did not check certain sysfs files. A local attacker with write access to /sys could exploit this to cause a system crash, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-2849)

Mark Smith discovered that the AppleTalk stack did not correctly manage memory. A remote attacker could send specially crafted traffic to cause the system to consume all available memory, leading to a denial of service. (CVE-2009-2903)

Loic Minier discovered that eCryptfs did not correctly handle writing to certain deleted files. A local attacker could exploit this to gain root privileges or crash the system, leading to a denial of service.
Ubuntu 6.06 was not affected. (CVE-2009-2908)

It was discovered that the LLC, AppleTalk, IR, EConet, Netrom, and ROSE network stacks did not correctly initialize their data structures. A local attacker could make specially crafted calls to read kernel memory, leading to a loss of privacy. (CVE-2009-3001, CVE-2009-3002)

It was discovered that the randomization used for Address Space Layout Randomization was predictable within a small window of time. A local attacker could exploit this to leverage further attacks that require knowledge of userspace memory layouts. (CVE-2009-3238)

Eric Paris discovered that NFSv4 did not correctly handle file creation failures. An attacker with write access to an NFSv4 share could exploit this to create files with arbitrary mode bits, leading to privilege escalation or a loss of privacy. (CVE-2009-3286)

Bob Tracy discovered that the SCSI generic driver did not correctly use the right index for array access. A local attacker with write access to a CDR could exploit this to crash the system, leading to a denial of service. Only Ubuntu 9.04 was affected. (CVE-2009-3288)

Jan Kiszka discovered that KVM did not correctly validate certain hypercalls. A local unprivileged attacker in a virtual guest could exploit this to crash the guest kernel, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-3290).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to kernel 2.6.27.35:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.31 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.32 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.33 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.34 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.35

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fixes: - CVE-2009-2691: Information disclosure in proc filesystem - CVE-2009-2848: execve: must clear current->child_tid - CVE-2009-2849: md: NULL pointer dereference - CVE-2009-2847:
Information leak in do_sigaltstack Restore missing LIRC drivers, dropped in previous release. Backport upstream fixes that further improve the security of mmap of low addresses. (CVE-2009-2695)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-1438.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-1243.

ID	Name	Product	Family	Severity
180611	Oracle Linux 5 : Oracle / Enterprise / Linux / 5.4 / kernel (ELSA-2009-1243)	Nessus	Oracle Linux Local Security Checks	high
89117	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)	Nessus	Misc.	critical
79507	OracleVM 2.2 : kernel (OVMSA-2013-0039)	Nessus	OracleVM Local Security Checks	high
67925	Oracle Linux 4 : kernel (ELSA-2009-1438)	Nessus	Oracle Linux Local Security Checks	high
63898	RHEL 5 : kernel (RHSA-2009:1466)	Nessus	Red Hat Local Security Checks	medium
44793	Debian DSA-1928-1 : linux-2.6.24 - privilege escalation/denial of service/sensitive memory leak	Nessus	Debian Local Security Checks	high
44737	Debian DSA-1872-1 : linux-2.6 - denial of service/privilege escalation/information leak	Nessus	Debian Local Security Checks	high
43790	CentOS 4 : kernel (CESA-2009:1438)	Nessus	CentOS Local Security Checks	high
43779	CentOS 5 : kernel (CESA-2009:1243)	Nessus	CentOS Local Security Checks	medium
42870	VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	Nessus	VMware ESX Local Security Checks	medium
42209	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-852-1)	Nessus	Ubuntu Local Security Checks	high
41973	Fedora 10 : kernel-2.6.27.35-170.2.94.fc10 (2009-10165)	Nessus	Fedora Local Security Checks	high
40998	RHEL 4 : kernel (RHSA-2009:1438)	Nessus	Red Hat Local Security Checks	high
40835	RHEL 5 : kernel (RHSA-2009:1243)	Nessus	Red Hat Local Security Checks	medium
40780	Fedora 11 : kernel-2.6.29.6-217.2.16.fc11 (2009-9044)	Nessus	Fedora Local Security Checks	high
801476	CentOS RHSA-2009-1438 Security Check	Log Correlation Engine	Generic	high
801475	CentOS RHSA-2009-1243 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2009-2847

medium

Tenable Plugins

high

critical

high

high

medium

high

high

high

medium

medium

high

high

high

medium

high

high

high