The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries :

  - libpng
  - VMnc Codec
  - vmrun
  - VMware Remote Console (VMrc)
  - VMware Tools
  - vmware-authd

The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - bind
  - expat
  - glib2
  - Kernel
  - newt
  - nfs-utils
  - NTP
  - OpenSSH
  - OpenSSL

The remote OracleVM system is missing necessary patches to address critical security updates :

  - [security] require root for mmap_min_addr (Eric Paris)     [518142 518143] (CVE-2009-2695)

  - [md] prevent crash when accessing suspend_* sysfs attr     (Danny Feng) [518135 518136] (CVE-2009-2849)

  - [nfs] knfsd: fix NFSv4 O_EXCL creates (Jeff Layton)     [522163 524521] (CVE-2009-3286)

  - [fs] fix pipe null pointer dereference (Jeff Moyer)     [530938 530939] (CVE-2009-3547)

  - [net] r8169: balance pci_map/unmap pair, use hw padding     (Ivan Vecera) [529143 515857] (CVE-2009-3613)

  - [net] tc: fix uninitialized kernel memory leak (Jiri     Pirko) [520994 520863](CVE-2009-3228)

From Red Hat Security Advisory 2009:1550 :

Updated kernel packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise Linux 3.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue.
(CVE-2008-5029, Important)

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important)

* a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.
(CVE-2009-1895, Important)

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* missing initialization flaws were found in getname() implementations in the IrDA sockets, AppleTalk DDP protocol, NET/ROM protocol, and ROSE protocol implementations in the Linux kernel. Certain data structures in these getname() implementations were not initialized properly before being copied to user-space. These flaws could lead to an information leak. (CVE-2009-3002, Important)

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

Bug fixes :

* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer dereference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#512642)

* a bridge reference count problem in IPv6 has been fixed. (BZ#457010)

* enforce null-termination of user-supplied arguments to setsockopt().
(BZ#505514)

* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#511185)

* a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#520300)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2009:1548 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* a system with SELinux enforced was more permissive in allowing local users in the unconfined_t domain to map low memory areas even if the mmap_min_addr restriction was enabled. This could aid in the local exploitation of NULL pointer dereference bugs. (CVE-2009-2695, Important)

* a NULL pointer dereference flaw was found in the eCryptfs implementation in the Linux kernel. A local attacker could use this flaw to cause a local denial of service or escalate their privileges.
(CVE-2009-2908, Important)

* a flaw was found in the NFSv4 implementation. The kernel would do an unnecessary permission check after creating a file. This check would usually fail and leave the file with the permission bits set to random values. Note: This is a server-side only issue. (CVE-2009-3286, Important)

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

* a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. pci_unmap_single() presented a memory leak that could lead to IOMMU space exhaustion and a system crash. An attacker on the local network could abuse this flaw by using jumbo frames for large amounts of network traffic. (CVE-2009-3613, Important)

* missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2009-3228, Moderate)

Bug fixes :

* with network bonding in the 'balance-tlb' or 'balance-alb' mode, the primary setting for the primary slave device was lost when said device was brought down. Bringing the slave back up did not restore the primary setting. (BZ#517971)

* some faulty serial device hardware caused systems running the kernel-xen kernel to take a very long time to boot. (BZ#524153)

* a caching bug in nfs_readdir() may have caused NFS clients to see duplicate files or not see all files in a directory. (BZ#526960)

* the RHSA-2009:1243 update removed the mpt_msi_enable option, preventing certain scripts from running. This update adds the option back. (BZ#526963)

* an iptables rule with the recent module and a hit count value greater than the ip_pkt_list_tot parameter (the default is 20), did not have any effect over packets, as the hit count could not be reached. (BZ#527434)

* a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#527436)

* a kernel panic occurred in certain conditions after reconfiguring a tape drive's block size. (BZ#528133)

* when using the Linux Virtual Server (LVS) in a master and backup configuration, and propagating active connections on the master to the backup, the connection timeout value on the backup was hard-coded to 180 seconds, meaning connection information on the backup was soon lost. This could prevent the successful failover of connections. The timeout value can now be set via 'ipvsadm --set'. (BZ#528645)

* a bug in nfs4_do_open_expired() could have caused the reclaimer thread on an NFSv4 client to enter an infinite loop. (BZ#529162)

* MSI interrupts may not have been delivered for r8169 based network cards that have MSI interrupts enabled. This bug only affected certain systems. (BZ#529366)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2009:1541 :

Updated kernel packages that fix security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

Users should upgrade to these updated packages, which contain a backported patch to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2009:1522 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* multiple, missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2005-4881, CVE-2009-3228, Moderate)

This update also fixes the following bugs :

* a packet duplication issue was fixed via the RHSA-2008:0665 update;
however, the fix introduced a problem for systems using network bonding: Backup slaves were unable to receive ARP packets. When using network bonding in the 'active-backup' mode and with the 'arp_validate=3' option, the bonding driver considered such backup slaves as being down (since they were not receiving ARP packets), preventing successful failover to these devices. (BZ#519384)

* due to insufficient memory barriers in the network code, a process sleeping in select() may have missed notifications about new data. In rare cases, this bug may have caused a process to sleep forever.
(BZ#519386)

* the driver version number in the ata_piix driver was not changed between Red Hat Enterprise Linux 4.7 and Red Hat Enterprise Linux 4.8, even though changes had been made between these releases. This could have prevented the driver from loading on systems that check driver versions, as this driver appeared older than it was. (BZ#519389)

* a bug in nlm_lookup_host() could have led to un-reclaimed locks on file systems, resulting in the umount command failing. This bug could have also prevented NFS services from being relocated correctly in clustered environments. (BZ#519656)

* the data buffer ethtool_get_strings() allocated, for the igb driver, was smaller than the amount of data that was copied in igb_get_strings(), because of a miscalculation in IGB_QUEUE_STATS_LEN, resulting in memory corruption. This bug could have led to a kernel panic. (BZ#522738)

* in some situations, write operations to a TTY device were blocked even when the O_NONBLOCK flag was used. A reported case of this issue occurred when a single TTY device was opened by two users (one using blocking mode, and the other using non-blocking mode). (BZ#523930)

* a deadlock was found in the cciss driver. In rare cases, this caused an NMI lockup during boot. Messages such as 'cciss: controller cciss[x] failed, stopping.' and 'cciss[x]: controller not responding.' may have been displayed on the console. (BZ#525725)

* on 64-bit PowerPC systems, a rollover bug in the ibmveth driver could have caused a kernel panic. In a reported case, this panic occurred on a system with a large uptime and under heavy network load.
(BZ#527225)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise Linux 3.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue.
(CVE-2008-5029, Important)

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important)

* a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.
(CVE-2009-1895, Important)

* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)

* missing initialization flaws were found in getname() implementations in the IrDA sockets, AppleTalk DDP protocol, NET/ROM protocol, and ROSE protocol implementations in the Linux kernel. Certain data structures in these getname() implementations were not initialized properly before being copied to user-space. These flaws could lead to an information leak. (CVE-2009-3002, Important)

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

Bug fixes :

* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer dereference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#512642)

* a bridge reference count problem in IPv6 has been fixed. (BZ#457010)

* enforce null-termination of user-supplied arguments to setsockopt().
(BZ#505514)

* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#511185)

* a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#520300)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* a system with SELinux enforced was more permissive in allowing local users in the unconfined_t domain to map low memory areas even if the mmap_min_addr restriction was enabled. This could aid in the local exploitation of NULL pointer dereference bugs. (CVE-2009-2695, Important)

* a NULL pointer dereference flaw was found in the eCryptfs implementation in the Linux kernel. A local attacker could use this flaw to cause a local denial of service or escalate their privileges.
(CVE-2009-2908, Important)

* a flaw was found in the NFSv4 implementation. The kernel would do an unnecessary permission check after creating a file. This check would usually fail and leave the file with the permission bits set to random values. Note: This is a server-side only issue. (CVE-2009-3286, Important)

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

* a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. pci_unmap_single() presented a memory leak that could lead to IOMMU space exhaustion and a system crash. An attacker on the local network could abuse this flaw by using jumbo frames for large amounts of network traffic. (CVE-2009-3613, Important)

* missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2009-3228, Moderate)

Bug fixes :

* with network bonding in the 'balance-tlb' or 'balance-alb' mode, the primary setting for the primary slave device was lost when said device was brought down. Bringing the slave back up did not restore the primary setting. (BZ#517971)

* some faulty serial device hardware caused systems running the kernel-xen kernel to take a very long time to boot. (BZ#524153)

* a caching bug in nfs_readdir() may have caused NFS clients to see duplicate files or not see all files in a directory. (BZ#526960)

* the RHSA-2009:1243 update removed the mpt_msi_enable option, preventing certain scripts from running. This update adds the option back. (BZ#526963)

* an iptables rule with the recent module and a hit count value greater than the ip_pkt_list_tot parameter (the default is 20), did not have any effect over packets, as the hit count could not be reached. (BZ#527434)

* a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#527436)

* a kernel panic occurred in certain conditions after reconfiguring a tape drive's block size. (BZ#528133)

* when using the Linux Virtual Server (LVS) in a master and backup configuration, and propagating active connections on the master to the backup, the connection timeout value on the backup was hard-coded to 180 seconds, meaning connection information on the backup was soon lost. This could prevent the successful failover of connections. The timeout value can now be set via 'ipvsadm --set'. (BZ#528645)

* a bug in nfs4_do_open_expired() could have caused the reclaimer thread on an NFSv4 client to enter an infinite loop. (BZ#529162)

* MSI interrupts may not have been delivered for r8169 based network cards that have MSI interrupts enabled. This bug only affected certain systems. (BZ#529366)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)

Users should upgrade to these updated packages, which contain a backported patch to correct these issues. The system must be rebooted for this update to take effect.

CVE-2009-2695 kernel: SELinux and mmap_min_addr

CVE-2009-3228 kernel: tc: uninitialised kernel memory leak

CVE-2009-3286 kernel: O_EXCL creates on NFSv4 are broken

CVE-2009-2908 kernel ecryptfs NULL pointer dereference

CVE-2009-3613 kernel: flood ping cause out-of-iommu error and panic when mtu larger than 1500

CVE-2009-3547 kernel: fs: pipe.c NULL pointer dereference

Security fixes :

  - a system with SELinux enforced was more permissive in     allowing local users in the unconfined_t domain to map     low memory areas even if the mmap_min_addr restriction     was enabled. This could aid in the local exploitation of     NULL pointer dereference bugs. (CVE-2009-2695,     Important)

  - a NULL pointer dereference flaw was found in the     eCryptfs implementation in the Linux kernel. A local     attacker could use this flaw to cause a local denial of     service or escalate their privileges. (CVE-2009-2908,     Important)

  - a flaw was found in the NFSv4 implementation. The kernel     would do an unnecessary permission check after creating     a file. This check would usually fail and leave the file     with the permission bits set to random values. Note:
    This is a server-side only issue. (CVE-2009-3286,     Important)

  - a NULL pointer dereference flaw was found in each of the     following functions in the Linux kernel:
    pipe_read_open(), pipe_write_open(), and     pipe_rdwr_open(). When the mutex lock is not held, the     i_pipe pointer could be released by other processes     before it is used to update the pipe's reader and writer     counters. This could lead to a local denial of service     or privilege escalation. (CVE-2009-3547, Important)

  - a flaw was found in the Realtek r8169 Ethernet driver in     the Linux kernel. pci_unmap_single() presented a memory     leak that could lead to IOMMU space exhaustion and a     system crash. An attacker on the local network could     abuse this flaw by using jumbo frames for large amounts     of network traffic. (CVE-2009-3613, Important)

  - missing initialization flaws were found in the Linux     kernel. Padding data in several core network structures     was not initialized properly before being sent to     user-space. These flaws could lead to information leaks.
    (CVE-2009-3228, Moderate)

Bug fixes :

  - with network bonding in the 'balance-tlb' or     'balance-alb' mode, the primary setting for the primary     slave device was lost when said device was brought down.
    Bringing the slave back up did not restore the primary     setting. (BZ#517971)

  - some faulty serial device hardware caused systems     running the kernel-xen kernel to take a very long time     to boot. (BZ#524153)

  - a caching bug in nfs_readdir() may have caused NFS     clients to see duplicate files or not see all files in a     directory. (BZ#526960)

  - the RHSA-2009:1243 update removed the mpt_msi_enable     option, preventing certain scripts from running. This     update adds the option back. (BZ#526963)

  - an iptables rule with the recent module and a hit count     value greater than the ip_pkt_list_tot parameter (the     default is 20), did not have any effect over packets, as     the hit count could not be reached. (BZ#527434)

  - a check has been added to the IPv4 code to make sure     that rt is not NULL, to help prevent future bugs in     functions that call ip_append_data() from being     exploitable. (BZ#527436)

  - a kernel panic occurred in certain conditions after     reconfiguring a tape drive's block size. (BZ#528133)

  - when using the Linux Virtual Server (LVS) in a master     and backup configuration, and propagating active     connections on the master to the backup, the connection     timeout value on the backup was hard-coded to 180     seconds, meaning connection information on the backup     was soon lost. This could prevent the successful     failover of connections. The timeout value can now be     set via 'ipvsadm --set'. (BZ#528645)

  - a bug in nfs4_do_open_expired() could have caused the     reclaimer thread on an NFSv4 client to enter an infinite     loop. (BZ#529162)

  - MSI interrupts may not have been delivered for r8169     based network cards that have MSI interrupts enabled.
    This bug only affected certain systems. (BZ#529366)

The system must be rebooted for this update to take effect.

Note1: Due to the fuse kernel module now being part of the kernel, we are updating fuse on the older releases to match the fuse that was released by The Upstream Vendor.

Note2: kernel-module-openafs for SL 50-53 is for openafs 1.4.7, for SL 54 it is for openafs 1.4.11

Note3: xfs is now part of the kernel in x86_64. Because of this there is no kernel-module-xfs for x86_64.

Note4: ipw3945 support has been changed to iwlwifi3945 in SL 54, and is in the kernel. Because of this there is no kernel-module-ipw3945 for SL54.

Note5: Support for the Atheros chipset in now in the kernel. We are not sure if the infrastructure is in place for SL 50-53, so we are still providing the madwifi kernel modules for SL 50-53.

CVE-2005-4881 kernel: netlink: fix numerous padding memleaks

CVE-2009-3228 kernel: tc: uninitialised kernel memory leak

This update fixes the following security issues :

  - multiple, missing initialization flaws were found in the     Linux kernel. Padding data in several core network     structures was not initialized properly before being     sent to user-space. These flaws could lead to     information leaks. (CVE-2005-4881, CVE-2009-3228,     Moderate)

This update also fixes the following bugs :

  - a packet duplication issue was fixed via the     RHSA-2008:0665 update; however, the fix introduced a     problem for systems using network bonding: Backup slaves     were unable to receive ARP packets. When using network     bonding in the 'active-backup' mode and with the     'arp_validate=3' option, the bonding driver considered     such backup slaves as being down (since they were not     receiving ARP packets), preventing successful failover     to these devices. (BZ#519384)

  - due to insufficient memory barriers in the network code,     a process sleeping in select() may have missed     notifications about new data. In rare cases, this bug     may have caused a process to sleep forever. (BZ#519386)

  - the driver version number in the ata_piix driver was not     changed between Scientific Linux 4.7 and Scientific     Linux 4.8, even though changes had been made between     these releases. This could have prevented the driver     from loading on systems that check driver versions, as     this driver appeared older than it was. (BZ#519389)

  - a bug in nlm_lookup_host() could have led to     un-reclaimed locks on file systems, resulting in the     umount command failing. This bug could have also     prevented NFS services from being relocated correctly in     clustered environments. (BZ#519656)

  - the data buffer ethtool_get_strings() allocated, for the     igb driver, was smaller than the amount of data that was     copied in igb_get_strings(), because of a miscalculation     in IGB_QUEUE_STATS_LEN, resulting in memory corruption.
    This bug could have led to a kernel panic. (BZ#522738)

  - in some situations, write operations to a TTY device     were blocked even when the O_NONBLOCK flag was used. A     reported case of this issue occurred when a single TTY     device was opened by two users (one using blocking mode,     and the other using non-blocking mode). (BZ#523930)

  - a deadlock was found in the cciss driver. In rare cases,     this caused an NMI lockup during boot. Messages such as     'cciss: controller cciss[x] failed, stopping.' and     'cciss[x]: controller not responding.' may have been     displayed on the console. (BZ#525725)

  - on 64-bit PowerPC systems, a rollover bug in the ibmveth     driver could have caused a kernel panic. In a reported     case, this panic occurred on a system with a large     uptime and under heavy network load. (BZ#527225)

The system must be rebooted for this update to take effect.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088)

The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. (CVE-2009-3228)

The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel node set. (CVE-2010-0415)

The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620)

The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. (CVE-2010-0622)

The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function.
(CVE-2009-2287)

The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. (CVE-2009-3722)

The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308)

The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function.
(CVE-2009-2846)

Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.
(CVE-2010-2521)

mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643. (CVE-2008-7256)

The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors.
(CVE-2010-1162)

mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. (CVE-2010-1643)

The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173)

The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. (CVE-2010-1187)

The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173)

fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248)

Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.
(CVE-2010-2492)

The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.
(CVE-2010-2226)

The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. (CVE-2010-2798)

The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)

The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. (CVE-2010-2803)

Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959)

Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. (CVE-2010-3080)

A vulnerability in Linux kernel caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the compat_alloc_user_space method with an arbitrary length input. (CVE-2010-3081)

The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301)

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

a. Service Console update for COS kernel

   Updated COS package 'kernel' addresses the security issues that are    fixed through versions 2.6.18-164.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,    CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues    fixed in kernel 2.6.18-164.6.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,    CVE-2009-3726 to the security issues fixed in kernel 2.6.18-164.9.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2007-4567, CVE-2009-4536, CVE-2009-4537,    CVE-2009-4538 to the security issues fixed in kernel 2.6.18-164.10.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080,    CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,    CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to    the security issues fixed in kernel 2.6.18-164.11.1.

b. ESXi userworld update for ntp

   The Network Time Protocol (NTP) is used to synchronize the time of    a computer client or server to another server or reference time    source.

   A vulnerability in ntpd could allow a remote attacker to cause a    denial of service (CPU and bandwidth consumption) by using    MODE_PRIVATE to send a spoofed (1) request or (2) response packet    that triggers a continuous exchange of MODE_PRIVATE error responses    between two NTP daemons.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-3563 to this issue.

c. Service Console package openssl updated to 0.9.8e-12.el5_4.1

   OpenSSL is a toolkit implementing SSL v2/v3 and TLS protocols with    full-strength cryptography world-wide.

   A memory leak in the zlib could allow a remote attacker to cause a    denial of service (memory consumption) via vectors that trigger    incorrect calls to the CRYPTO_cleanup_all_ex_data function.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-4355 to this issue.

   A vulnerability was discovered which may allow remote attackers to    spoof certificates by using MD2 design flaws to generate a hash    collision in less than brute-force time. NOTE: the scope of this    issue is currently limited because the amount of computation    required is still large.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-2409 to this issue.

   This update also includes security fixes that were first addressed    in version openssl-0.9.8e-12.el5.i386.rpm.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2009-0590, CVE-2009-1377, CVE-2009-1378,    CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387 to these issues.

d. Service Console update for krb5 to 1.6.1-36.el5_4.1 and pam_krb5 to    2.2.14-15.

   Kerberos is a network authentication protocol. It is designed to    provide strong authentication for client/server applications by    using secret-key cryptography.

   Multiple integer underflows in the AES and RC4 functionality in the    crypto library could allow remote attackers to cause a denial of    service (daemon crash) or possibly execute arbitrary code by    providing ciphertext with a length that is too short to be valid.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-4212 to this issue.

   The service console package for pam_krb5 is updated to version    pam_krb5-2.2.14-15. This update fixes a flaw found in pam_krb5. In    some non-default configurations (specifically, where pam_krb5 would    be the first module to prompt for a password), a remote attacker    could use this flaw to recognize valid usernames, which would aid a    dictionary-based password guess attack.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-1384 to this issue.

e. Service Console package bind updated to 9.3.6-4.P1.el5_4.2

   BIND (Berkeley Internet Name Daemon) is by far the most widely used    Domain Name System (DNS) software on the Internet.

   A vulnerability was discovered which could allow remote attacker to    add the Authenticated Data (AD) flag to a forged NXDOMAIN response    for an existing domain.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0097 to this issue.

   A vulnerability was discovered which could allow remote attackers    to conduct DNS cache poisoning attacks by receiving a recursive    client query and sending a response that contains CNAME or DNAME    records, which do not have the intended validation before caching.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0290 to this issue.

   A vulnerability was found in the way that bind handles out-of-    bailiwick data accompanying a secure response without re-fetching    from the original source, which could allow remote attackers to    have an unspecified impact via a crafted response.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0382 to this issue.

   NOTE: ESX does not use the BIND name service daemon by default.

f. Service Console package gcc updated to 3.2.3-60

   The GNU Compiler Collection includes front ends for C, C++,    Objective-C, Fortran, Java, and Ada, as well as libraries for these    languages

   GNU Libtool's ltdl.c attempts to open .la library files in the    current working directory.  This could allow a local user to gain    privileges via a Trojan horse file.  The GNU C Compiler collection    (gcc) provided in ESX contains a statically linked version of the    vulnerable code, and is being replaced.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-3736 to this issue.

g. Service Console package gzip update to 1.3.3-15.rhel3

   gzip is a software application used for file compression

   An integer underflow in gzip's unlzw function on 64-bit platforms    may allow a remote attacker to trigger an array index error    leading to a denial of service (application crash) or possibly    execute arbitrary code via a crafted LZW compressed file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0001 to this issue.

h. Service Console package sudo updated to 1.6.9p17-6.el5_4

   Sudo (su 'do') allows a system administrator to delegate authority    to give certain users (or groups of users) the ability to run some    (or all) commands as root or another user while providing an audit    trail of the commands and their arguments.

   When a pseudo-command is enabled, sudo permits a match between the    name of the pseudo-command and the name of an executable file in an    arbitrary directory, which allows local users to gain privileges    via a crafted executable file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0426 to this issue.

   When the runas_default option is used, sudo does not properly set    group memberships, which allows local users to gain privileges via    a sudo command.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0427 to this issue.

a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1

   Newt is a programming library for color text mode, widget based    user interfaces. Newt can be used to add stacked windows, entry    widgets, checkboxes, radio buttons, labels, plain text fields,    scrollbars, etc., to text mode user interfaces.

   A heap-based buffer overflow flaw was found in the way newt    processes content that is to be displayed in a text dialog box.
   A local attacker could issue a specially crafted text dialog box    display request (direct or via a custom application), leading to a    denial of service (application crash) or, potentially, arbitrary    code execution with the privileges of the user running the    application using the newt library.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-2905 to this issue.

b. vMA and Service Console update for vMA package nfs-utils to    1.0.9-42.el5

   The nfs-utils package provides a daemon for the kernel NFS server    and related tools.

   It was discovered that nfs-utils did not use tcp_wrappers    correctly.  Certain hosts access rules defined in '/etc/hosts.allow'    and '/etc/hosts.deny' may not have been honored, possibly allowing    remote attackers to bypass intended access restrictions.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2008-4552 to this issue.

c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1

   GLib is the low-level core library that forms the basis for    projects such as GTK+ and GNOME. It provides data structure    handling for C, portability wrappers, and interfaces for such    runtime functionality as an event loop, threads, dynamic loading,    and an object system.

   Multiple integer overflows in glib/gbase64.c in GLib before 2.20    allow context-dependent attackers to execute arbitrary code via a    long string that is converted either from or to a base64    representation.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2008-4316 to this issue.

d. vMA and Service Console update for openssl to 0.9.8e-12.el5

   SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full-    strength cryptography world-wide.

   Multiple denial of service flaws were discovered in OpenSSL's DTLS    implementation. A remote attacker could use these flaws to cause a    DTLS server to use excessive amounts of memory, or crash on an    invalid memory access or NULL pointer dereference.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2009-1377, CVE-2009-1378,    CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues.

   An input validation flaw was found in the handling of the BMPString    and UniversalString ASN1 string types in OpenSSL's    ASN1_STRING_print_ex() function. An attacker could use this flaw to    create a specially crafted X.509 certificate that could cause    applications using the affected function to crash when printing    certificate contents.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-0590 to this issue.

e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1

   It was discovered that BIND was incorrectly caching responses    without performing proper DNSSEC validation, when those responses    were received during the resolution of a recursive client query    that requested DNSSEC records but indicated that checking should be    disabled. A remote attacker could use this flaw to bypass the DNSSEC    validation check and perform a cache poisoning attack if the target    BIND server was receiving such client queries.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-4022 to this issue.

f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2.

   Two buffer over-read flaws were found in the way Expat handled    malformed UTF-8 sequences when processing XML files. A specially-    crafted XML file could cause applications using Expat to fail while    parsing the file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2009-3560 and CVE-2009-3720 to these    issues.

g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2

   A Red Hat specific patch used in the openssh packages as shipped in    Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain    ownership requirements for directories used as arguments for the    ChrootDirectory configuration options. A malicious user that also    has or previously had non-chroot shell access to a system could    possibly use this flaw to escalate their privileges and run    commands as any system user.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-2904 to this issue.

h. vMA and Service Console package ntp updated to    ntp-4.2.2p1-9.el5_4.1.i386.rpm

   A flaw was discovered in the way ntpd handled certain malformed NTP    packets. ntpd logged information about all such packets and replied    with an NTP packet that was treated as malformed when received by    another ntpd. A remote attacker could use this flaw to create an NTP    packet reply loop between two ntpd servers through a malformed packet    with a spoofed source IP address and port, causing ntpd on those    servers to use excessive amounts of CPU time and fill disk space with    log messages.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-3563 to this issue.   

i. vMA update for package kernel to 2.6.18-164.9.1.el5

   Updated vMA package kernel addresses the security issues listed    below.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2009-2849 to the security issue fixed in    kernel 2.6.18-128.2.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,    CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues    fixed in kernel 2.6.18-128.6.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,    CVE-2009-3726 to the security issues fixed in kernel    2.6.18-128.9.1

j. vMA 4.0 updates for the packages kpartx, libvolume-id,    device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed

   kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to    095-14.20.el5 device-mapper-multipath package updated to    0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus    updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5,    and ed package updated to 0.2-39.el5_2.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2008-3916, CVE-2009-1189 and    CVE-2009-0115 to these issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-1883     Solar Designer discovered a missing capability check in     the z90crypt driver or s390 systems. This vulnerability     may allow a local user to gain elevated privileges.

  - CVE-2009-2909     Arjan van de Ven discovered an issue in the AX.25     protocol implementation. A specially crafted call to     setsockopt() can result in a denial of service (kernel     oops).

  - CVE-2009-3001     Jiri Slaby fixed a sensitive memory leak issue in the     ANSI/IEEE 802.2 LLC implementation. This is not     exploitable in the Debian lenny kernel as root     privileges are required to exploit this issue.

  - CVE-2009-3002     Eric Dumazet fixed several sensitive memory leaks in the     IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and     Controller Area Network (CAN) implementations. Local     users can exploit these issues to gain access to kernel     memory.

  - CVE-2009-3228     Eric Dumazet reported an instance of uninitialized     kernel memory in the network packet scheduler. Local     users may be able to exploit this issue to read the     contents of sensitive kernel memory.

  - CVE-2009-3238     Linus Torvalds provided a change to the get_random_int()     function to increase its randomness.

  - CVE-2009-3286     Eric Paris discovered an issue with the NFSv4 server     implementation. When an O_EXCL create fails, files may     be left with corrupted permissions, possibly granting     unintentional privileges to other local users.

  - CVE-2009-3547     Earl Chew discovered a NULL pointer dereference issue in     the pipe_rdwr_open function which can be used by local     users to gain elevated privileges.

  - CVE-2009-3612     Jiri Pirko discovered a typo in the initialization of a     structure in the netlink subsystem that may allow local     users to gain access to sensitive kernel memory.

  - CVE-2009-3621     Tomoki Sekiyama discovered a deadlock condition in the     UNIX domain socket implementation. Local users can     exploit this vulnerability to cause a denial of service     (system hang).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-2846     Michael Buesch noticed a typing issue in the eisa-eeprom     driver for the hppa architecture. Local users could     exploit this issue to gain access to restricted memory.

  - CVE-2009-2847     Ulrich Drepper noticed an issue in the do_sigalstack     routine on 64-bit systems. This issue allows local users     to gain access to potentially sensitive memory on the     kernel stack.

  - CVE-2009-2848     Eric Dumazet discovered an issue in the execve path,     where the clear_child_tid variable was not being     properly cleared. Local users could exploit this issue     to cause a denial of service (memory corruption).

  - CVE-2009-2849     Neil Brown discovered an issue in the sysfs interface to     md devices. When md arrays are not active, local users     can exploit this vulnerability to cause a denial of     service (oops).

  - CVE-2009-2903     Mark Smith discovered a memory leak in the appletalk     implementation. When the appletalk and ipddp modules are     loaded, but no ipddp'N' device is found, remote     attackers can cause a denial of service by consuming     large amounts of system memory.

  - CVE-2009-2908     Loic Minier discovered an issue in the eCryptfs     filesystem. A local user can cause a denial of service     (kernel oops) by causing a dentry value to go negative.

  - CVE-2009-2909     Arjan van de Ven discovered an issue in the AX.25     protocol implementation. A specially crafted call to     setsockopt() can result in a denial of service (kernel     oops).

  - CVE-2009-2910     Jan Beulich discovered the existence of a sensitive     kernel memory leak. Systems running the 'amd64' kernel     do not properly sanitize registers for 32-bit processes.

  - CVE-2009-3001     Jiri Slaby fixed a sensitive memory leak issue in the     ANSI/IEEE 802.2 LLC implementation. This is not     exploitable in the Debian lenny kernel as root     privileges are required to exploit this issue.

  - CVE-2009-3002     Eric Dumazet fixed several sensitive memory leaks in the     IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and     Controller Area Network (CAN) implementations. Local     users can exploit these issues to gain access to kernel     memory.

  - CVE-2009-3228     Eric Dumazet reported an instance of uninitialized     kernel memory in the network packet scheduler. Local     users may be able to exploit this issue to read the     contents of sensitive kernel memory.

  - CVE-2009-3238     Linus Torvalds provided a change to the get_random_int()     function to increase its randomness.

  - CVE-2009-3286     Eric Paris discovered an issue with the NFSv4 server     implementation. When an O_EXCL create fails, files may     be left with corrupted permissions, possibly granting     unintentional privileges to other local users.

  - CVE-2009-3547     Earl Chew discovered a NULL pointer dereference issue in     the pipe_rdwr_open function which can be used by local     users to gain elevated privileges.

  - CVE-2009-3612     Jiri Pirko discovered a typo in the initialization of a     structure in the netlink subsystem that may allow local     users to gain access to sensitive kernel memory.

  - CVE-2009-3613     Alistair Strachan reported an issue in the r8169 driver.
    Remote users can cause a denial of service (IOMMU space     exhaustion and system crash) by transmitting a large     amount of jumbo frames.

  - CVE-2009-3620     Ben Hutchings discovered an issue in the DRM manager for     ATI Rage 128 graphics adapters. Local users may be able     to exploit this vulnerability to cause a denial of     service (NULL pointer dereference).

  - CVE-2009-3621     Tomoki Sekiyama discovered a deadlock condition in the     UNIX domain socket implementation. Local users can     exploit this vulnerability to cause a denial of service     (system hang).

Notice: Debian 5.0.4, the next point release of Debian 'lenny', will include a new default value for the mmap_min_addr tunable. This change will add an additional safeguard against a class of security vulnerabilities known as 'NULL pointer dereference' vulnerabilities, but it will need to be overridden when using certain applications.
Additional information about this change, including instructions for making this change locally in advance of 5.0.4 (recommended), can be found at: https://wiki.debian.org/mmap_min_addr.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-3228     Eric Dumazet reported an instance of uninitialized     kernel memory in the network packet scheduler. Local     users may be able to exploit this issue to read the     contents of sensitive kernel memory.

  - CVE-2009-3238     Linus Torvalds provided a change to the get_random_int()     function to increase its randomness.

  - CVE-2009-3547     Earl Chew discovered a NULL pointer dereference issue in     the pipe_rdwr_open function which can be used by local     users to gain elevated privileges.

  - CVE-2009-3612     Jiri Pirko discovered a typo in the initialization of a     structure in the netlink subsystem that may allow local     users to gain access to sensitive kernel memory.

  - CVE-2009-3620     Ben Hutchings discovered an issue in the DRM manager for     ATI Rage 128 graphics adapters. Local users may be able     to exploit this vulnerability to cause a denial of     service (NULL pointer dereference).

  - CVE-2009-3621     Tomoki Sekiyama discovered a deadlock condition in the     UNIX domain socket implementation. Local users can     exploit this vulnerability to cause a denial of service     (system hang).

  - CVE-2009-3638     David Wagner reported an overflow in the KVM subsystem     on i386 systems. This issue is exploitable by local     users with access to the /dev/kvm device file.

It was discovered that the AX.25 network subsystem did not correctly check integer signedness in certain setsockopt calls. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-2909)

Jan Beulich discovered that the kernel could leak register contents to 32-bit processes that were switched to 64-bit mode. A local attacker could run a specially crafted binary to read register values from an earlier process, leading to a loss of privacy. (CVE-2009-2910)

Dave Jones discovered that the gdth SCSI driver did not correctly validate array indexes in certain ioctl calls. A local attacker could exploit this to crash the system or gain elevated privileges.
(CVE-2009-3080)

Eric Dumazet and Jiri Pirko discovered that the TC and CLS subsystems would leak kernel memory via uninitialized structure members. A local attacker could exploit this to read several bytes of kernel memory, leading to a loss of privacy. (CVE-2009-3228, CVE-2009-3612)

Earl Chew discovered race conditions in pipe handling. A local attacker could exploit anonymous pipes via /proc/*/fd/ and crash the system or gain root privileges. (CVE-2009-3547)

Dave Jones and Francois Romieu discovered that the r8169 network driver could be made to leak kernel memory. A remote attacker could send a large number of jumbo frames until the system memory was exhausted, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-3613).

Ben Hutchings discovered that the ATI Rage 128 video driver did not correctly validate initialization states. A local attacker could make specially crafted ioctl calls to crash the system or gain root privileges. (CVE-2009-3620)

Tomoki Sekiyama discovered that Unix sockets did not correctly verify namespaces. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2009-3621)

J. Bruce Fields discovered that NFSv4 did not correctly use the credential cache. A local attacker using a mount with AUTH_NULL authentication could exploit this to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3623)

Alexander Zangerl discovered that the kernel keyring did not correctly reference count. A local attacker could issue a series of specially crafted keyring calls to crash the system or gain root privileges.
Only Ubuntu 9.10 was affected. (CVE-2009-3624)

David Wagner discovered that KVM did not correctly bounds-check CPUID entries. A local attacker could exploit this to crash the system or possibly gain elevated privileges. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3638)

Avi Kivity discovered that KVM did not correctly check privileges when accessing debug registers. A local attacker could exploit this to crash a host system from within a guest system, leading to a denial of service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722)

Philip Reisner discovered that the connector layer for uvesafb, pohmelfs, dst, and dm did not correctly check capabilties. A local attacker could exploit this to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-3725)

Trond Myklebust discovered that NFSv4 clients did not robustly verify attributes. A malicious remote NFSv4 server could exploit this to crash a client or gain root privileges. Ubuntu 9.10 was not affected.
(CVE-2009-3726)

Robin Getz discovered that NOMMU systems did not correctly validate NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to allocate large amounts of memory to crash the system, leading to a denial of service. Only Ubuntu 6.06 and 9.10 were affected.
(CVE-2009-3888)

Joseph Malicki discovered that the MegaRAID SAS driver had world-writable option files. A local attacker could exploit these to disrupt the behavior of the controller, leading to a denial of service. (CVE-2009-3889, CVE-2009-3939)

Roel Kluin discovered that the Hisax ISDN driver did not correctly check the size of packets. A remote attacker could send specially crafted packets to cause a system crash, leading to a denial of service. (CVE-2009-4005)

Lennert Buytenhek discovered that certain 802.11 states were not handled correctly. A physically-proximate remote attacker could send specially crafted wireless traffic that would crash the system, leading to a denial of service. Only Ubuntu 9.10 was affected.
(CVE-2009-4026, CVE-2009-4027).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* multiple, missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2005-4881, CVE-2009-3228, Moderate)

This update also fixes the following bugs :

* a packet duplication issue was fixed via the RHSA-2008:0665 update;
however, the fix introduced a problem for systems using network bonding: Backup slaves were unable to receive ARP packets. When using network bonding in the 'active-backup' mode and with the 'arp_validate=3' option, the bonding driver considered such backup slaves as being down (since they were not receiving ARP packets), preventing successful failover to these devices. (BZ#519384)

* due to insufficient memory barriers in the network code, a process sleeping in select() may have missed notifications about new data. In rare cases, this bug may have caused a process to sleep forever.
(BZ#519386)

* the driver version number in the ata_piix driver was not changed between Red Hat Enterprise Linux 4.7 and Red Hat Enterprise Linux 4.8, even though changes had been made between these releases. This could have prevented the driver from loading on systems that check driver versions, as this driver appeared older than it was. (BZ#519389)

* a bug in nlm_lookup_host() could have led to un-reclaimed locks on file systems, resulting in the umount command failing. This bug could have also prevented NFS services from being relocated correctly in clustered environments. (BZ#519656)

* the data buffer ethtool_get_strings() allocated, for the igb driver, was smaller than the amount of data that was copied in igb_get_strings(), because of a miscalculation in IGB_QUEUE_STATS_LEN, resulting in memory corruption. This bug could have led to a kernel panic. (BZ#522738)

* in some situations, write operations to a TTY device were blocked even when the O_NONBLOCK flag was used. A reported case of this issue occurred when a single TTY device was opened by two users (one using blocking mode, and the other using non-blocking mode). (BZ#523930)

* a deadlock was found in the cciss driver. In rare cases, this caused an NMI lockup during boot. Messages such as 'cciss: controller cciss[x] failed, stopping.' and 'cciss[x]: controller not responding.' may have been displayed on the console. (BZ#525725)

* on 64-bit PowerPC systems, a rollover bug in the ibmveth driver could have caused a kernel panic. In a reported case, this panic occurred on a system with a large uptime and under heavy network load.
(BZ#527225)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-1522.

ID	Name	Product	Family	Severity
89740	VMware ESX / ESXi Third-Party Libraries and Components (VMSA-2010-0009) (remote check)	Nessus	VMware ESX Local Security Checks	critical
89737	VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)	Nessus	VMware ESX Local Security Checks	high
79470	OracleVM 2.2 : kernel (OVMSA-2009-0033)	Nessus	OracleVM Local Security Checks	high
67955	Oracle Linux 3 : kernel (ELSA-2009-1550)	Nessus	Oracle Linux Local Security Checks	high
67953	Oracle Linux 5 : kernel (ELSA-2009-1548)	Nessus	Oracle Linux Local Security Checks	high
67952	Oracle Linux 4 : kernel (ELSA-2009-1541)	Nessus	Oracle Linux Local Security Checks	high
67945	Oracle Linux 4 : kernel (ELSA-2009-1522)	Nessus	Oracle Linux Local Security Checks	medium
67070	CentOS 3 : kernel (CESA-2009:1550)	Nessus	CentOS Local Security Checks	high
67068	CentOS 5 : kernel (CESA-2009:1548)	Nessus	CentOS Local Security Checks	high
67067	CentOS 4 : kernel (CESA-2009:1541)	Nessus	CentOS Local Security Checks	high
65044	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60682	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
49795	Mandriva Linux Security Advisory : kernel (MDVSA-2010:198)	Nessus	Mandriva Local Security Checks	critical
49666	Mandriva Linux Security Advisory : kernel (MDVSA-2010:188)	Nessus	Mandriva Local Security Checks	critical
46765	VMSA-2010-0009 : ESXi ntp and ESX Service Console third-party updates	Nessus	VMware ESX Local Security Checks	high
44993	VMSA-2010-0004 : ESX Service Console and vMA third-party updates	Nessus	VMware ESX Local Security Checks	high
44794	Debian DSA-1929-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak	Nessus	Debian Local Security Checks	high
44793	Debian DSA-1928-1 : linux-2.6.24 - privilege escalation/denial of service/sensitive memory leak	Nessus	Debian Local Security Checks	high
44792	Debian DSA-1927-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak	Nessus	Debian Local Security Checks	high
43026	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-864-1)	Nessus	Ubuntu Local Security Checks	high
42360	RHEL 3 : kernel (RHSA-2009:1550)	Nessus	Red Hat Local Security Checks	high
42358	RHEL 5 : kernel (RHSA-2009:1548)	Nessus	Red Hat Local Security Checks	high
42257	CentOS 4 : kernel (CESA-2009:1522)	Nessus	CentOS Local Security Checks	medium
42216	RHEL 4 : kernel (RHSA-2009:1522)	Nessus	Red Hat Local Security Checks	medium
801478	CentOS RHSA-2009-1522 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2009-3228

medium

Tenable Plugins

critical

high

high

high

high

high

medium

high

high

high

high

medium

critical

critical

high

high

high

high

high

high

high

high

medium

medium

high