An integer overflow was discovered in the do_replace() function. A local user process with the CAP_NET_ADMIN capability could exploit this to execute arbitrary commands with full root privileges. However, none of Ubuntu's supported packages use this capability with any non-root user, so this only affects you if you use some third party software like the OpenVZ virtualization system. (CVE-2006-0038)

On EMT64 CPUs, the kernel did not properly handle uncanonical return addresses. A local user could exploit this to trigger a kernel crash.
(CVE-2006-0744)

Al Viro discovered a local Denial of Service in the sysfs write buffer handling. By writing a block with a length exactly equal to the processor's page size to any writable file in /sys, a local attacker could cause a kernel crash. (CVE-2006-1055)

Jan Beulich discovered an information leak in the handling of registers for the numeric coprocessor when running on AMD processors.
This allowed processes to see the coprocessor execution state of other processes, which could reveal sensitive data in the case of cryptographic computations. (CVE-2006-1056)

Marcel Holtmann discovered that the sys_add_key() did not check that a new user key is added to a proper keyring. By attempting to add a key to a normal user key (which is not a keyring), a local attacker could exploit this to crash the kernel. (CVE-2006-1522)

Ingo Molnar discovered that the SCTP protocol connection tracking module in netfilter got stuck in an infinite loop on certain empty packet chunks. A remote attacker could exploit this to cause the computer to hang. (CVE-2006-1527)

The SCSI I/O driver did not correctly handle the VM_IO flag for memory mapped pages used for data transfer. A local user could exploit this to cause a kernel crash. (CVE-2006-1528)

The choose_new_parent() contained obsolete debugging code. A local user could exploit this to cause a kernel crash. (CVE-2006-1855)

Kostik Belousov discovered that the readv() and writev() functions did not query LSM modules for access permission. This could be exploited to circumvent access restrictions defined by LSM modules such as SELinux or AppArmor. (CVE-2006-1856)

The SCTP driver did not properly verify certain parameters when receiving a HB-ACK chunk. By sending a specially crafted packet to an SCTP socket, a remote attacker could exploit this to trigger a buffer overflow, which could lead to a crash or possibly even arbitrary code execution. (CVE-2006-1857)

The sctp_walk_params() function in the SCTP driver incorrectly used rounded values for bounds checking instead of the precise values. By sending a specially crafted packet to an SCTP socket, a remote attacker could exploit this to crash the kernel. (CVE-2006-1858)

Bjoern Steinbrink reported a memory leak in the __setlease() function.
A local attacker could exploit this to exhaust kernel memory and render the computer unusable (Denial of Service). (CVE-2006-1859)

Daniel Hokka Zakrisson discovered that the lease_init() did not properly handle locking. A local attacker could exploit this to cause a kernel deadlock (Denial of Service). (CVE-2006-1860)

Mark Moseley discovered that the CIFS file system driver did not filter out '..\\' path components. A local attacker could exploit this to break out of a chroot environment on a mounted SMB share.
(CVE-2006-1863) The same vulnerability applies to the older smb file system. (CVE-2006-1864)

Hugh Dickins discovered that the mprotect() function allowed an user to change a read-only shared memory attachment to become writable, which bypasses IPC (inter-process communication) permissions.
(CVE-2006-2071)

The SCTP (Stream Control Transmission Protocol) driver triggered a kernel panic on unexpected packets while the session was in the CLOSED state, instead of silently ignoring the packets. A remote attacker could exploit this to crash the computer. (CVE-2006-2271)

The SCTP driver did not handle control chunks if they arrived in fragmented packets. By sending specially crafted packets to an SCTP socket, a remote attacker could exploit this to crash the target machine. (CVE-2006-2272)

The SCTP driver did not correctly handle packets containing more than one DATA fragment. By sending specially crafted packets to an SCTP socket, a remote attacker could exploit this to crash the target machine. (CVE-2006-2274)

The SCTP driver did not correcly buffer incoming packets. By sending a large number of small messages to a receiver application that cannot process the messages quickly enough, a remote attacker could exploit this to cause a deadlock in the target machine (Denial of Service).
(CVE-2006-2275)

Patrick McHardy discovered that the snmp_trap_decode() function did not correctly handle memory allocation in some error conditions. By sending specially crafted packets to a machine which uses the SNMP network address translation (NAT), a remote attacker could exploit this to crash that machine. (CVE-2006-2444)

In addition, the Ubuntu 6.06 LTS update fixes a range of bugs.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Memory corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed.

The provided packages are patched to fix this vulnerability. Users who may be running netfilter on important servers are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

This advisory covers the S/390 components of the recent security update for the Linux 2.6.8 kernel that were missing due to technical problems. For reference, please see the text of the original advisory.

  Several security related problems have been discovered in the Linux   kernel which may lead to a denial of service or even the execution   of arbitrary code. The Common Vulnerabilities and Exposures project   identifies the following problems :

    - CVE-2004-2660       Toshihiro Iwamoto discovered a memory leak in the       handling of direct I/O writes that allows local users       to cause a denial of service.

    - CVE-2005-4798       A buffer overflow in NFS readlink handling allows a       malicious remote server to cause a denial of service.

    - CVE-2006-1052       Stephen Smalley discovered a bug in the SELinux ptrace       handling that allows local users with ptrace       permissions to change the tracer SID to the SID of       another process.

    - CVE-2006-1343       Pavel Kankovsky discovered an information leak in the       getsockopt system call which can be exploited by a       local program to leak potentially sensitive memory to       userspace.

    - CVE-2006-1528       Douglas Gilbert reported a bug in the sg driver that       allows local users to cause a denial of service by       performing direct I/O transfers from the sg driver to       memory mapped I/O space.

    - CVE-2006-1855       Mattia Belletti noticed that certain debugging code       left in the process management code could be exploited       by a local attacker to cause a denial of service.

    - CVE-2006-1856       Kostik Belousov discovered a missing LSM       file_permission check in the readv and writev       functions which might allow attackers to bypass       intended access restrictions.

    - CVE-2006-2444       Patrick McHardy discovered a bug in the SNMP NAT       helper that allows remote attackers to cause a denial       of service.

    - CVE-2006-2446       A race condition in the socket buffer handling allows       remote attackers to cause a denial of service.

    - CVE-2006-2935       Diego Calleja Garcia discovered a buffer overflow in       the DVD handling code that could be exploited by a       specially crafted DVD USB storage device to execute       arbitrary code.

    - CVE-2006-2936       A bug in the serial USB driver has been discovered       that could be exploited by a custom made USB serial       adapter to consume arbitrary amounts of memory.

    - CVE-2006-3468       James McKenzie discovered a denial of service       vulnerability in the NFS driver. When exporting an       ext3 file system over NFS, a remote attacker could       exploit this to trigger a file system panic by sending       a specially crafted UDP packet.

    - CVE-2006-3745       Wei Wang discovered a bug in the SCTP implementation       that allows local users to cause a denial of service       and possibly gain root privileges.

    - CVE-2006-4093       Olof Johansson discovered that the kernel does not       disable the HID0 bit on PowerPC 970 processors which       could be exploited by a local attacker to cause a       denial of service.

    - CVE-2006-4145       A bug in the Universal Disk Format (UDF) filesystem       driver could be exploited by a local user to cause a       denial of service.

    - CVE-2006-4535       David Miller reported a problem with the fix for       CVE-2006-3745 that allows local users to crash the       system via an SCTP socket with a certain SO_LINGER       value.

The following matrix explains which kernel version for which architecture fixes the problem mentioned above :

                              stable (sarge)                 Source                       2.6.8-16sarge5                 Alpha architecture           2.6.8-16sarge5                 AMD64 architecture           2.6.8-16sarge5                 HP Precision architecture    2.6.8-6sarge5                  Intel IA-32 architecture     2.6.8-16sarge5                 Intel IA-64 architecture     2.6.8-14sarge5                 Motorola 680x0 architecture  2.6.8-4sarge5                  PowerPC architecture         2.6.8-12sarge5                 IBM S/390                    2.6.8-5sarge5                  Sun Sparc architecture       2.6.8-15sarge5                 FAI                          1.9.1sarge4

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues described below :

* a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important)

* a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important)

* a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important)

* a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important)

* a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate)

* a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate)

* a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low)

* a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low)

* a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low)

In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines.

Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum.

All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

This is the eighth regular kernel update to Red Hat Enterprise Linux 3.

New features introduced by this update include :

  - addition of the adp94xx and dcdbas device drivers -     diskdump support on megaraid_sas, qlogic, and swap     partitions - support for new hardware via driver and     SCSI white-list updates

There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3.

There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors.

The following device drivers have been added or upgraded to new versions :

adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH

The following security bugs were fixed in this update :

  - a flaw in the USB devio handling of device removal that     allowed a local user to cause a denial of service     (crash) (CVE-2005-3055, moderate)

  - a flaw in the exec() handling of multi-threaded tasks     using ptrace() that allowed a local user to cause a     denial of service (hang of a user process)     (CVE-2005-3107, low)

  - a difference in 'sysretq' operation of EM64T (as opposed     to Opteron) processors that allowed a local user to     cause a denial of service (crash) upon return from     certain system calls (CVE-2006-0741 and CVE-2006-0744,     important)

  - a flaw in unaligned accesses handling on Intel Itanium     processors that allowed a local user to cause a denial     of service (crash) (CVE-2006-0742, important)

  - an info leak on AMD-based x86 and x86_64 systems that     allowed a local user to retrieve the floating point     exception state of a process run by a different user     (CVE-2006-1056, important)

  - a flaw in IPv4 packet output handling that allowed a     remote user to bypass the zero IP ID countermeasure on     systems with a disabled firewall (CVE-2006-1242, low)

  - a minor info leak in socket option handling in the     network code (CVE-2006-1343, low)

  - a flaw in IPv4 netfilter handling for the unlikely use     of SNMP NAT processing that allowed a remote user to     cause a denial of service (crash) or potential memory     corruption (CVE-2006-2444, moderate)

Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed.

All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

Several security related problems have been discovered in the Linux kernel which may lead to a denial of service or even the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-4798     A buffer overflow in NFS readlink handling allows a     malicious remote server to cause a denial of service.

  - CVE-2006-2935     Diego Calleja Garcia discovered a buffer overflow in the     DVD handling code that could be exploited by a specially     crafted DVD USB storage device to execute arbitrary     code.

  - CVE-2006-1528     A bug in the SCSI driver allows a local user to cause a     denial of service.

  - CVE-2006-2444     Patrick McHardy discovered a bug in the SNMP NAT helper     that allows remote attackers to cause a denial of     service.

  - CVE-2006-2446     A race condition in the socket buffer handling allows     remote attackers to cause a denial of service.

  - CVE-2006-3745     Wei Wang discovered a bug in the SCTP implementation     that allows local users to cause a denial of service and     possibly gain root privileges.

  - CVE-2006-4535     David Miller reported a problem with the fix for     CVE-2006-3745 that allows local users to crash the     system via an SCTP socket with a certain SO_LINGER     value.

The following matrix explains which kernel version for which architecture fixes the problem mentioned above :

                              stable (sarge)                 Source                       2.4.27-10sarge4                Alpha architecture           2.4.27-10sarge4                ARM architecture             2.4.27-2sarge4                 Intel IA-32 architecture     2.4.27-10sarge4                Intel IA-64 architecture     2.4.27-10sarge4                Motorola 680x0 architecture  2.4.27-3sarge4                 MIPS architectures           2.4.27-10.sarge4.040815-1      PowerPC architecture         2.4.27-10sarge4                IBM S/390                    2.4.27-2sarge4                 Sun Sparc architecture       2.4.27-9sarge4                 FAI                          1.9.1sarge4                    mindi-kernel                 2.4.27-2sarge3                 kernel-image-speakup-i386    2.4.27-1.1sarge3               systemimager                 3.2.3-6sarge3

Updated kernel packages that fix security issues are now available. 

This update has been rated as having important security impact by the Red Hat Security Response Team. 

The Linux kernel handles the basic functions of the operating system. 

These new kernel packages contain fixes for the security issues described below :


From Red Hat Security Advisory 2006-0617 :

* a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important)

* a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important)

* a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important)

* a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important)

* a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate)

* a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate)

* a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low)

* a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low)

* a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low)

In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines.

Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum.


From Red Hat Security Advisory ELSA-2006-0689 :

* a flaw in the SCTP support that allowed a local user to cause a denial of service (crash) with a specific SO_LINGER value.
(CVE-2006-4535, Important)

* a flaw in the hugepage table support that allowed a local user to cause a denial of service (crash). (CVE-2005-4811, Important)

* a flaw in the mprotect system call that allowed setting write permission for a read-only attachment of shared memory.
(CVE-2006-2071, Moderate)

* a flaw in HID0[31] (en_attn) register handling on PowerPC 970 systems that allowed a local user to cause a denial of service.
(crash) (CVE-2006-4093, Moderate)

* a flaw in the perfmon support of Itanium systems that allowed a local user to cause a denial of service by consuming all file descriptors. (CVE-2006-3741, Moderate)

* a flaw in the ATM subsystem. On systems with installed ATM hardware and configured ATM support, a remote user could cause a denial of service (panic) by accessing socket buffers memory after freeing them.
(CVE-2006-4997, Moderate)

* a flaw in the DVB subsystem. On systems with installed DVB hardware and configured DVB support, a remote user could cause a denial of service (panic) by sending a ULE SNDU packet with length of 0.
(CVE-2006-4623, Low)

* an information leak in the network subsystem that possibly allowed a local user to read sensitive data from kernel memory. (CVE-2006-0039, Low)

In addition, two bugfixes for the IPW-2200 wireless driver were included. The first one ensures that wireless management applications correctly identify IPW-2200 controlled devices, while the second fix ensures that DHCP requests using the IPW-2200 operate correctly.

Red Hat would like to thank Olof Johansson, Stephane Eranian and Solar Designer for reporting issues fixed in this erratum.

The remote host is running Kerio MailServer version 6.0.10 or lower.  There is a flaw in the remote version of this server that would allow an attacker to cause the application to fail.  While the details of the flaw are unknown, it is alledged that an attacker can launch the attack without any credentials and render the target service unavailable.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0437.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0617.

ID	Name	Product	Family	Published	Updated	Severity
27877	Ubuntu 5.04 / 5.10 / 6.06 LTS : linux-source-2.6.10/2.6.12/2.6.15 vulnerabilities (USN-302-1)	Nessus	Ubuntu Local Security Checks	11/10/2007	1/19/2021	high
21598	Mandrake Linux Security Advisory : kernel (MDKSA-2006:087)	Nessus	Mandriva Local Security Checks	5/27/2006	1/6/2021	high
22726	Debian DSA-1184-2 : kernel-source-2.6.8 - several vulnerabilities	Nessus	Debian Local Security Checks	10/14/2006	1/4/2021	high
22279	CentOS 4 : kernel (CESA-2006:0617)	Nessus	CentOS Local Security Checks	8/30/2006	1/4/2021	high
22135	CentOS 3 : kernel (CESA-2006:0437)	Nessus	CentOS Local Security Checks	8/4/2006	1/4/2021	high
22725	Debian DSA-1183-1 : kernel-source-2.4.27 - several vulnerabilities	Nessus	Debian Local Security Checks	10/14/2006	1/4/2021	high
67401	Oracle Linux 4 : kernel (ELSA-2006-0617 / ELSA-2006-0689)	Nessus	Oracle Linux Local Security Checks	7/12/2013	1/14/2021	high
22264	RHEL 4 : kernel (RHSA-2006:0617)	Nessus	Red Hat Local Security Checks	8/23/2006	1/14/2021	high
22086	RHEL 3 : kernel (RHSA-2006:0437)	Nessus	Red Hat Local Security Checks	7/21/2006	1/14/2021	high
3469	Kerio MailServer < 6.1.3 Patch 1 Remote DoS	Nessus Network Monitor	SMTP Servers	3/9/2006	3/6/2019	medium
801417	CentOS RHSA-2006-0437 Security Check	Log Correlation Engine	Generic			high
801421	CentOS RHSA-2006-0617 Security Check	Log Correlation Engine	Generic			high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

medium

high

high