__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                        Red Hat Updated Kernel Packages
                               [RHSA-2003:408-05]

December 22, 2003 18:00 GMT                                       Number O-043
[REVISED 15 Jan 2004]
______________________________________________________________________________
PROBLEM:       The execve system call in Linux 2.4.x records the file 
               descriptor of the executable process in the file table of the 
               calling process, which allows local users to gain read access 
               to restricted file descriptors. 
PLATFORM:      Red Hat Enterprise Linux AS, ES, WS (v.2.1) 
               Kernel-image-2.4.17-ia64
DAMAGE:        Local users can gain read access to restricted file 
               descriptors. 
SOLUTION:      Upgrade to the erratum package. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. A local user can gain upgraded privileges. 
ASSESSMENT:                                                                   
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-043.shtml 
 ORIGINAL BULLETIN:  Red Hat RHSA-2003:408-05
                     https://rhn.redhat.com/errata/RHSA-2003-408.html
 ADDITIONAL LINK:    http://www.debian.org/security/2004/dsa-423  
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2003-0476 
______________________________________________________________________________
REVISION HISTORY:
1/15/04 - added a link to Debian Security Advisory DSA-423-1 for Linux-kernel-2.4.17-ia64.

[***** Start RHSA-2003:408-05 *****]

Updated kernel packages address security vulnerabilities, bugfixes

Advisory: RHSA-2003:408-05 
Last updated on: 2003-12-19 
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1) 
CVEs (cve.mitre.org): CAN-2003-0476
 

Security Advisory 


Details:

Updated kernel packages that address various security vulnerabilities, fix a
number of bugs, and update various drivers are now available.

The Linux kernel handles the basic functions of the operating system. 

The execve system call in Linux 2.4.x records the file descriptor of the
executable process in the file table of the calling process, which allows
local users to gain read access to restricted file descriptors. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0476 to this issue.

A number of bugfixes are included, including important fixes for the ext3
file system and timer code. 

New features include limited support for non-cached NFS file sytems, Serial
ATA (SATA) devices, and new alt-sysreq debugging options. 

In addition, the following drivers have been updated:

- e100 2.3.30-k1
- e1000 5.2.20-k1
- fusion 2.05.05+
- ips 6.10.52
- aic7xxx 6.2.36
- aic79xxx 1.3.10
- megaraid 2 2.00.9
- cciss 2.4.49

All users are advised to upgrade to these erratum packages, which contain
backported patches addressing these issues.



Updated packages:

Red Hat Enterprise Linux AS (v. 2.1) 

--------------------------------------------------------------------------------
 
SRPMS: 
kernel-2.4.9-e.34.src.rpm     9a2fec8ea266a96e7e9027663567bcc8 
  
athlon: 
kernel-2.4.9-e.34.athlon.rpm     a7f341ff87ef2ec7ac5fc98b6faf4733 
kernel-smp-2.4.9-e.34.athlon.rpm     314929f994c284817dba78a98f7e4ab6 
  
i386: 
kernel-BOOT-2.4.9-e.34.i386.rpm     751dcca290aef19f97441735581f752e 
kernel-doc-2.4.9-e.34.i386.rpm     833b9a87e12666a7a3bab95ef0d839e5 
kernel-headers-2.4.9-e.34.i386.rpm     87333913c671d0e3e7a749de0e335e76 
kernel-source-2.4.9-e.34.i386.rpm     a9b3d5e9d162b3a194eaf3008b0eb072 
  
i686: 
kernel-2.4.9-e.34.i686.rpm     c4e713cdbc4c6073a64d75b4dad203bd 
kernel-debug-2.4.9-e.34.i686.rpm     1234399c9c43711dac5a08d6577634ea 
kernel-enterprise-2.4.9-e.34.i686.rpm     4aa1653dc861991cd07554bd28e5f7e2 
kernel-smp-2.4.9-e.34.i686.rpm     1f51cb729dd1e51dbb42e9ba1f6a4436 
kernel-summit-2.4.9-e.34.i686.rpm     bd95e8651a275ad1e5de780e52211ba0 
  
Red Hat Enterprise Linux ES (v. 2.1) 

--------------------------------------------------------------------------------
 
SRPMS: 
kernel-2.4.9-e.34.src.rpm     9a2fec8ea266a96e7e9027663567bcc8 
  
athlon: 
kernel-2.4.9-e.34.athlon.rpm     a7f341ff87ef2ec7ac5fc98b6faf4733 
kernel-smp-2.4.9-e.34.athlon.rpm     314929f994c284817dba78a98f7e4ab6 
  
i386: 
kernel-BOOT-2.4.9-e.34.i386.rpm     751dcca290aef19f97441735581f752e 
kernel-doc-2.4.9-e.34.i386.rpm     833b9a87e12666a7a3bab95ef0d839e5 
kernel-headers-2.4.9-e.34.i386.rpm     87333913c671d0e3e7a749de0e335e76 
kernel-source-2.4.9-e.34.i386.rpm     a9b3d5e9d162b3a194eaf3008b0eb072 
  
i686: 
kernel-2.4.9-e.34.i686.rpm     c4e713cdbc4c6073a64d75b4dad203bd 
kernel-debug-2.4.9-e.34.i686.rpm     1234399c9c43711dac5a08d6577634ea 
kernel-smp-2.4.9-e.34.i686.rpm     1f51cb729dd1e51dbb42e9ba1f6a4436 
  
Red Hat Enterprise Linux WS (v. 2.1) 

--------------------------------------------------------------------------------
 
SRPMS: 
kernel-2.4.9-e.34.src.rpm     9a2fec8ea266a96e7e9027663567bcc8 
  
athlon: 
kernel-2.4.9-e.34.athlon.rpm     a7f341ff87ef2ec7ac5fc98b6faf4733 
kernel-smp-2.4.9-e.34.athlon.rpm     314929f994c284817dba78a98f7e4ab6 
  
i386: 
kernel-BOOT-2.4.9-e.34.i386.rpm     751dcca290aef19f97441735581f752e 
kernel-doc-2.4.9-e.34.i386.rpm     833b9a87e12666a7a3bab95ef0d839e5 
kernel-headers-2.4.9-e.34.i386.rpm     87333913c671d0e3e7a749de0e335e76 
kernel-source-2.4.9-e.34.i386.rpm     a9b3d5e9d162b3a194eaf3008b0eb072 
  
i686: 
kernel-2.4.9-e.34.i686.rpm     c4e713cdbc4c6073a64d75b4dad203bd 
kernel-debug-2.4.9-e.34.i686.rpm     1234399c9c43711dac5a08d6577634ea 
kernel-enterprise-2.4.9-e.34.i686.rpm     4aa1653dc861991cd07554bd28e5f7e2 
kernel-smp-2.4.9-e.34.i686.rpm     1f51cb729dd1e51dbb42e9ba1f6a4436 
  
(The unlinked packages above are only available from the Red Hat Network)
 

Solution

Release notes, driver notes, and driver disks for this update are available
at the following URL:

http://www.redhat.com/support/errata/rhel/

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

The procedure for upgrading the kernel manually is documented at:

http://www.redhat.com/support/docs/howto/kernel-upgrade/

Please read the directions for your architecture carefully before
proceeding with the kernel upgrade.

Please note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. Note that you need to select the kernel
explicitly on default configurations of up2date.



Bugs fixed:  (see bugzilla for more information)

74516 - NFS DATA CORRUPTION
75669 - SG queue function getting null pointer
84452 - RHEL AS2.1 QU3 errata: System hangs with 2.1 AS (timer.c)
85211 - USB CDROM crashes with dd on IBM Bladecenter
90872 - md device can be stopped when it should return -EBUSY
99203 - NFS tcp client retransmission with large wsize.



References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0476




--------------------------------------------------------------------------------
The listed packages are GPG signed by Red Hat, Inc. for security. Our key is 
available at: http://www.redhat.com/solutions/security/news/publickey/#key 
You can verify each package and see who signed it with the following command:

rpm --checksig -v filename 

If you only wish to verify that each package has not been corrupted or tampered 
with, examine only the md5sum with the following command:

md5sum filename 

The Red Hat security contact is security@redhat.com. More contact details at 
http://www.redhat.com/solutions/security/news/contact.html
 
 

[***** End RHSA-2003:408-05 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Red Hat for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-033: Sun Xsun Server in Direct Graphics Access (DGA) Vulnerabilities
O-034: rsync Heap Overflow Vulnerability
O-035: Sun 'dtprintinfo(1)' CDE Print Viewer Vulnerability
O-036: CISCO Authentication Library in ACNS Vulnerability
O-037: Red Hat GnuPG Packages ElGamal Keys Vulnerability
O-038: CISCO Unity Vulnerabilities on IBM-based Servers
O-039: CISCO FWSM Vulnerabilities
O-040: CISCO PIX Vulnerabilities
O-041: Sun 'lpstat' Printing Vulnerability
O-042: Red Hat 'lftp' Buffer Overflow Vulnerability