__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN kernel Update [RHSA-2006:0493-6] May 24, 2006 20:00 GMT Number Q-206 [REVISED 15 June 2006] [REVISED 05 July 2006] [REVISED 14 July 2006] [REVISED 21 July 2006] [REVISED 25 Sept 2006] [REVISED 7 Nov 2006] ______________________________________________________________________________ PROBLEM: Updated kernel packages that fix several security issues. PLATFORM: Red Hat Desktop (v. 3 & v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3 & v. 4) DAMAGE: Vulnerabiity is detailed below: Two missing LSM hooks that allowed a local user to bypass the LSM by using readv() or writev(). A directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences. SOLUTION: Apply current updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM - Local user can bypass access controls and ASSESSMENT: also escalate priviledges on the machine. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-206.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2006-0493.html ADDITIONAL LINKS: Debian Security Advisory 1097-1 http://www.debian.org/security/2006/dsa-1097 Debian Security Advisory 1103-1 http://www.debian.org/security/2006/dsa-1103 RHSA-2006:0579-12 https://rhn.redhat.com/errata/RHSA-2006-0579.html RHSA-2006:0580-7 https://rhn.redhat.com/errata/RHSA-2006-0580.html RHSA-2006:0437-22 https://rhn.redhat.com/errata/RHSA-2006-0437.html Debian Security Advisory 1184-1 http://www.debian.org/security/2006/dsa-1184 RHSA-2006:0710-7 https://rhn.redhat.com/errata/RHSA-2006-0710.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3272 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1856 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 ______________________________________________________________________________ REVISION HISTORY: 06/15/2006 - added a link to Debian Security Advisory 1097-1 07/05/2006 - added a link to Debian Security Advisory 1103-1 07/14/2006 - added links to Red Hat Security Advisories RHSA-2006:0579-12 and RHSA-2006:0580-7 07/21/2006 - added a link to Red Hat Security Advisory RHSA-2006:0437-22 for Red Hat Desktop (v. 3) and Enterprise Linux AS, ES, WS (v. 3) 09/25/2006 - added a link to Debian Security Advisory 1184-1. 11/07/2006 - revised to add a link to Red Hat RHSA-2006:0710-7 for Red Hat Desktop (v. 3), and Red Hat Enterprise Linux AS, ES, WS (v. 3). [***** Start RHSA-2006:0493-6 *****] Important: kernel security update Advisory: RHSA-2006:0493-6 Type: Security Advisory Issued on: 2006-05-24 Last updated on: 2006-05-24 Affected Products: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CVE-2005-2973 CVE-2005-3272 CVE-2005-3359 CVE-2006-0555 CVE-2006-0741 CVE-2006-0744 CVE-2006-1522 CVE-2006-1525 CVE-2006-1527 CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-1862 CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 Details Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important) * a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate) * a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important) * a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important) * a difference in "sysretq" operation of EM64T (as opposed to Opteron) processors that allowed a local user to cause a denial of service (crash) upon return from certain system calls (CVE-2006-0741 and CVE-2006-0744, important) * a flaw in the keyring implementation that allowed a local user to cause a denial of service (OOPS) (CVE-2006-1522, important) * a flaw in IP routing implementation that allowed a local user to cause a denial of service (panic) via a request for a route for a multicast IP (CVE-2006-1525, important) * a flaw in the SCTP-netfilter implementation that allowed a remote user to cause a denial of service (infinite loop) (CVE-2006-1527, important) * a flaw in the sg driver that allowed a local user to cause a denial of service (crash) via a dio transfer to memory mapped (mmap) IO space (CVE-2006-1528, important) * a flaw in the threading implementation that allowed a local user to cause a denial of service (panic) (CVE-2006-1855, important) * two missing LSM hooks that allowed a local user to bypass the LSM by using readv() or writev() (CVE-2006-1856, moderate) * a flaw in the virtual memory implementation that allowed local user to cause a denial of service (panic) by using the lsof command (CVE-2006-1862, important) * a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864, moderate) * a flaw in the ECNE chunk handling of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2271, moderate) * a flaw in the handling of COOKIE_ECHO and HEARTBEAT control chunks of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2272, moderate) * a flaw in the handling of DATA fragments of SCTP that allowed a remote user to cause a denial of service (infinite recursion and crash) (CVE-2006-2274, moderate) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-34.0.1.EL.src.rpm d43492e556689a0607d7bafd927024b7 IA-32: kernel-2.6.9-34.0.1.EL.i686.rpm 34813080d97fdd6f647fd7d4f809c7fc kernel-devel-2.6.9-34.0.1.EL.i686.rpm e78b9ccc0c954cff7cb40e6f02b24674 kernel-doc-2.6.9-34.0.1.EL.noarch.rpm 4969d66062c65e2f969a5b23f3d038fb kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm 3c00e3363ab92e43224a3017fb7bb4a3 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm 861c261dc99531fecc8b90a579e3d406 kernel-smp-2.6.9-34.0.1.EL.i686.rpm ac1a65bd4766603619c7871c8454312d kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm 20bb2e56287af558784e341a22ecc899 x86_64: kernel-2.6.9-34.0.1.EL.x86_64.rpm 055f1e2e0ec115d813792811018da5e6 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm ab2acc3e78f549776c01be84b8aae710 kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm 4c09ae42fe85e7fa0699cde07b163802 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm 3bb0bc6a400c3bd7faebe3070402f356 kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm f11147d14d9f88a9760aa67af12d7d6c kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm c411c259c433dd3fe50222a5a3ebc472 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-34.0.1.EL.src.rpm d43492e556689a0607d7bafd927024b7 IA-32: kernel-2.6.9-34.0.1.EL.i686.rpm 34813080d97fdd6f647fd7d4f809c7fc kernel-devel-2.6.9-34.0.1.EL.i686.rpm e78b9ccc0c954cff7cb40e6f02b24674 kernel-doc-2.6.9-34.0.1.EL.noarch.rpm 4969d66062c65e2f969a5b23f3d038fb kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm 3c00e3363ab92e43224a3017fb7bb4a3 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm 861c261dc99531fecc8b90a579e3d406 kernel-smp-2.6.9-34.0.1.EL.i686.rpm ac1a65bd4766603619c7871c8454312d kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm 20bb2e56287af558784e341a22ecc899 IA-64: kernel-2.6.9-34.0.1.EL.ia64.rpm bb16d7851570a9973acc285b1c10d4c5 kernel-devel-2.6.9-34.0.1.EL.ia64.rpm 20207fbb33c783bad9de5c2d8d8b9a07 kernel-largesmp-2.6.9-34.0.1.EL.ia64.rpm 3a4a43172ab8119ffcec9a28abce6a69 kernel-largesmp-devel-2.6.9-34.0.1.EL.ia64.rpm 58810e499bf182b64a4a11b2391e04b3 PPC: kernel-2.6.9-34.0.1.EL.ppc64.rpm 50f16a3bc3db576300e8ed39b7e58696 kernel-2.6.9-34.0.1.EL.ppc64iseries.rpm 40f0c5f7d16d02e70f7058572c59829d kernel-devel-2.6.9-34.0.1.EL.ppc64.rpm 80b022ce31c0fd4fe94742f36e528d75 kernel-devel-2.6.9-34.0.1.EL.ppc64iseries.rpm 65479dc320135ebefacb42c27ded8277 kernel-largesmp-2.6.9-34.0.1.EL.ppc64.rpm 1e22096056638a03e4c473a0d0158268 kernel-largesmp-devel-2.6.9-34.0.1.EL.ppc64.rpm 224188bba442a6b6109689afb7bba903 s390: kernel-2.6.9-34.0.1.EL.s390.rpm 8ddc9750a621e3ea4142d1adfd06a5c5 kernel-devel-2.6.9-34.0.1.EL.s390.rpm ba2a9b707ce91af1e7ae817b726ed6c5 s390x: kernel-2.6.9-34.0.1.EL.s390x.rpm 4bf39050d27a794cc1df5b3eb916484a kernel-devel-2.6.9-34.0.1.EL.s390x.rpm e959fb20625849eccbd399958265fe84 x86_64: kernel-2.6.9-34.0.1.EL.x86_64.rpm 055f1e2e0ec115d813792811018da5e6 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm ab2acc3e78f549776c01be84b8aae710 kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm 4c09ae42fe85e7fa0699cde07b163802 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm 3bb0bc6a400c3bd7faebe3070402f356 kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm f11147d14d9f88a9760aa67af12d7d6c kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm c411c259c433dd3fe50222a5a3ebc472 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-34.0.1.EL.src.rpm d43492e556689a0607d7bafd927024b7 IA-32: kernel-2.6.9-34.0.1.EL.i686.rpm 34813080d97fdd6f647fd7d4f809c7fc kernel-devel-2.6.9-34.0.1.EL.i686.rpm e78b9ccc0c954cff7cb40e6f02b24674 kernel-doc-2.6.9-34.0.1.EL.noarch.rpm 4969d66062c65e2f969a5b23f3d038fb kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm 3c00e3363ab92e43224a3017fb7bb4a3 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm 861c261dc99531fecc8b90a579e3d406 kernel-smp-2.6.9-34.0.1.EL.i686.rpm ac1a65bd4766603619c7871c8454312d kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm 20bb2e56287af558784e341a22ecc899 IA-64: kernel-2.6.9-34.0.1.EL.ia64.rpm bb16d7851570a9973acc285b1c10d4c5 kernel-devel-2.6.9-34.0.1.EL.ia64.rpm 20207fbb33c783bad9de5c2d8d8b9a07 kernel-largesmp-2.6.9-34.0.1.EL.ia64.rpm 3a4a43172ab8119ffcec9a28abce6a69 kernel-largesmp-devel-2.6.9-34.0.1.EL.ia64.rpm 58810e499bf182b64a4a11b2391e04b3 x86_64: kernel-2.6.9-34.0.1.EL.x86_64.rpm 055f1e2e0ec115d813792811018da5e6 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm ab2acc3e78f549776c01be84b8aae710 kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm 4c09ae42fe85e7fa0699cde07b163802 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm 3bb0bc6a400c3bd7faebe3070402f356 kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm f11147d14d9f88a9760aa67af12d7d6c kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm c411c259c433dd3fe50222a5a3ebc472 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-34.0.1.EL.src.rpm d43492e556689a0607d7bafd927024b7 IA-32: kernel-2.6.9-34.0.1.EL.i686.rpm 34813080d97fdd6f647fd7d4f809c7fc kernel-devel-2.6.9-34.0.1.EL.i686.rpm e78b9ccc0c954cff7cb40e6f02b24674 kernel-doc-2.6.9-34.0.1.EL.noarch.rpm 4969d66062c65e2f969a5b23f3d038fb kernel-hugemem-2.6.9-34.0.1.EL.i686.rpm 3c00e3363ab92e43224a3017fb7bb4a3 kernel-hugemem-devel-2.6.9-34.0.1.EL.i686.rpm 861c261dc99531fecc8b90a579e3d406 kernel-smp-2.6.9-34.0.1.EL.i686.rpm ac1a65bd4766603619c7871c8454312d kernel-smp-devel-2.6.9-34.0.1.EL.i686.rpm 20bb2e56287af558784e341a22ecc899 IA-64: kernel-2.6.9-34.0.1.EL.ia64.rpm bb16d7851570a9973acc285b1c10d4c5 kernel-devel-2.6.9-34.0.1.EL.ia64.rpm 20207fbb33c783bad9de5c2d8d8b9a07 kernel-largesmp-2.6.9-34.0.1.EL.ia64.rpm 3a4a43172ab8119ffcec9a28abce6a69 kernel-largesmp-devel-2.6.9-34.0.1.EL.ia64.rpm 58810e499bf182b64a4a11b2391e04b3 x86_64: kernel-2.6.9-34.0.1.EL.x86_64.rpm 055f1e2e0ec115d813792811018da5e6 kernel-devel-2.6.9-34.0.1.EL.x86_64.rpm ab2acc3e78f549776c01be84b8aae710 kernel-largesmp-2.6.9-34.0.1.EL.x86_64.rpm 4c09ae42fe85e7fa0699cde07b163802 kernel-largesmp-devel-2.6.9-34.0.1.EL.x86_64.rpm 3bb0bc6a400c3bd7faebe3070402f356 kernel-smp-2.6.9-34.0.1.EL.x86_64.rpm f11147d14d9f88a9760aa67af12d7d6c kernel-smp-devel-2.6.9-34.0.1.EL.x86_64.rpm c411c259c433dd3fe50222a5a3ebc472 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 168791 - CVE-2006-1528 Possible local crash by dio/mmap sg driver 170772 - CVE-2005-2973 ipv6 infinite loop 171383 - CVE-2005-3272 bridge poisoning 175769 - CVE-2005-3359 incorrect inrement/decrement in atm module leads to panic 181795 - CVE-2006-0555 NFS client panic using O_DIRECT 183489 - CVE-2006-0741 bad elf entry address (CVE-2006-0744) 187841 - CVE-2006-1855 Old thread debugging causes false BUG() in choose_new_parent 188466 - CVE-2006-1522 DoS/bug in keyring code (security/keys/) 189260 - CVE-2006-1862 The lsof command triggers a kernel oops under heavy load 189346 - CVE-2006-1525 ip_route_input() panic 189435 - CVE-2006-1864 smbfs chroot issue 190460 - CVE-2006-1527 netfilter/sctp: lockup in sctp_new() 191201 - CVE-2006-2271 SCTP ECNE chunk handling DoS 191202 - CVE-2006-2272 SCTP incoming COOKIE_ECHO and HEARTBEAT packets DoS 191258 - CVE-2006-2274 SCTP DATA fragments DoS 191524 - CVE-2006-1856 LSM missing readv/writev References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3359 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1525 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1855 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2274 http://www.redhat.com/security/updates/classification/#important Keywords kernel, nahant, update -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ Copyright © 2002-05 Red Hat, Inc. All rights reserved. Legal statement : Privacy statement : redhat.com Red Hat Network release 4.0.6 [***** End RHSA-2006:0493-6 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-196: Apple Security Update 2006-003 Q-197: QuickTime 7.1 Update Q-198: Vulnerability in phpldapadmin Q-199: Security Vulnerability in Sun Java System Directory Q-200: Sun N1 Vulnerability Q-201: awstats Q-202: Microsoft Word Vulnerability Q-203: MySQL Q-204: Linux Kernel Vulnerabilties Q-205: HP Tru64 UNIX