__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kernel Security Update [Red Hat RHSA-2007:0705-2] September 14, 2007 17:00 GMT Number R-348 [REVISED 28 Sept 2007] [REVISED 09 Nov 2007] [REVISED 7 Dec 2007] [REVISED 30 Jan 2008] ______________________________________________________________________________ PROBLEM: There are multiple security package updates for vulnerabilities in RHEL 5 Kernel. PLATFORM: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3, v. 4) Debian GNU/Linux 4.0 (etch) DAMAGE: Could allow a remote user to cause a Denial of Service. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow a remote user to cause a Denial ASSESSMENT: of Service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-348.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0705.html ADDITIONAL LINKS: http://www.debian.org/security/2007/dsa-1378 https://rhn.redhat.com/errata/RHSA-2007-0939.html https://rhn.redhat.com/errata/RHSA-2007-1049.html http://www.debian.org/security/2007/dsa-1479 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-1217 CVE-2007-2875 CVE-2007-2876 CVE-2007-2878 CVE-2007-3739 CVE-2007-3740 CVE-2007-3843 CVE-2007-3851 ______________________________________________________________________________ REVISION HISTORY: 9/28/2007 - revised R-348 to add a link to Debian Security Advisory DSA-1378-1 for Debian GNU/Linux 4.0 (etch). 11/09/2007 - revised R-348 to add a link to Red Hat RHSA-2007:0939-10 for Red Hat Desktop (v. 4), Enterprise Linux AS, ES, WS (v. 4). 12/07/2007 - revised R-348 to add a link to Red Hat RHSA-2007:1049-8 for Red Hat Desktop (v. 3), Enterprise Linux AS, ES, WS (v. 3). 01/30/2008 - revised R-348 to add a link to Debian Security Advisory DSA-1479-1 for Debian GNU/Linux 4.0 (etch). [***** Start Red Hat RHSA-2007:0705-2 *****] Important: kernel security update Advisory: RHSA-2007:0705-2 Type: Security Advisory Severity: Important Issued on: 2007-09-13 Last updated on: 2007-09-13 Affected Products: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070705.xml CVEs (cve.mitre.org): CVE-2007-1217 CVE-2007-2875 CVE-2007-2876 CVE-2007-2878 CVE-2007-3739 CVE-2007-3740 CVE-2007-3843 CVE-2007-3851 Details Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important) * a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important) * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important) * a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine. (CVE-2007-1217, Moderate) * a flaw in the cpuset support that allowed a local user to obtain sensitive information from kernel memory. To exploit this the cpuset filesystem would have to already be mounted. (CVE-2007-2875, Moderate) * a flaw in the CIFS handling of the mount option "sec=" that didn't enable integrity checking and didn't produce any error message. (CVE-2007-3843, Low) Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.18-8.1.10.el5.src.rpm 5f74582de33ce8b315880f6cb07311e6 IA-32: kernel-2.6.18-8.1.10.el5.i686.rpm 16b97bdb995aa6681170799312591c72 kernel-PAE-2.6.18-8.1.10.el5.i686.rpm a61584927192304a1d40b53745074085 kernel-PAE-devel-2.6.18-8.1.10.el5.i686.rpm b6d6df13e6c363a81ec28ac3afe46908 kernel-devel-2.6.18-8.1.10.el5.i686.rpm ed130904f07738efc3dabecd6fe68fe6 kernel-doc-2.6.18-8.1.10.el5.noarch.rpm af1b26b4f9e73c3af08b46688d5d2863 kernel-headers-2.6.18-8.1.10.el5.i386.rpm f81654a091ecedecbc2071ca620ec223 kernel-xen-2.6.18-8.1.10.el5.i686.rpm fb0eafb1c20fffc8612fb583bbd788e4 kernel-xen-devel-2.6.18-8.1.10.el5.i686.rpm bf53cbe6d13d2a7d107d1bd537ec3e94 IA-64: kernel-2.6.18-8.1.10.el5.ia64.rpm a7b2e1fb984905246b17218edf151b06 kernel-devel-2.6.18-8.1.10.el5.ia64.rpm 421177b849689f729cd4febc5c337fdd kernel-doc-2.6.18-8.1.10.el5.noarch.rpm af1b26b4f9e73c3af08b46688d5d2863 kernel-headers-2.6.18-8.1.10.el5.ia64.rpm e80ab55ee7f8963fcf5b427a41c24a31 kernel-xen-2.6.18-8.1.10.el5.ia64.rpm 133e0959fee0f94737a7c89190fdae7b kernel-xen-devel-2.6.18-8.1.10.el5.ia64.rpm 718b04420fcb182ed0b6ba70ee574299 PPC: kernel-2.6.18-8.1.10.el5.ppc64.rpm 80e526bbb9a1fed949e4fad8d23d6623 kernel-devel-2.6.18-8.1.10.el5.ppc64.rpm d3754631864a81fc320ffaa47cb435c2 kernel-doc-2.6.18-8.1.10.el5.noarch.rpm af1b26b4f9e73c3af08b46688d5d2863 kernel-headers-2.6.18-8.1.10.el5.ppc.rpm a4cb338ecc9b6752e7f36f68a560e1da kernel-headers-2.6.18-8.1.10.el5.ppc64.rpm 657ac2e99eb8f7028c3e2809482c7ac0 kernel-kdump-2.6.18-8.1.10.el5.ppc64.rpm c8305e90ec618c573e2fdcc408546314 kernel-kdump-devel-2.6.18-8.1.10.el5.ppc64.rpm fe57409ab0a5f6b47ee3c11ab661577f s390x: kernel-2.6.18-8.1.10.el5.s390x.rpm e0e0cb8fec88915e1d10ccf83fd79d43 kernel-devel-2.6.18-8.1.10.el5.s390x.rpm e528893bce68ccde786fd8db0ef753e3 kernel-doc-2.6.18-8.1.10.el5.noarch.rpm af1b26b4f9e73c3af08b46688d5d2863 kernel-headers-2.6.18-8.1.10.el5.s390x.rpm ba46c5d17edd49d7cbb2c9543d2755db x86_64: kernel-2.6.18-8.1.10.el5.x86_64.rpm 102de3dd8363c9985a0745ddb414e447 kernel-devel-2.6.18-8.1.10.el5.x86_64.rpm 0cf51a82f64803278f0dbf31c6af16aa kernel-doc-2.6.18-8.1.10.el5.noarch.rpm af1b26b4f9e73c3af08b46688d5d2863 kernel-headers-2.6.18-8.1.10.el5.x86_64.rpm b3646ed8c818f718261a95ca51a4752d kernel-xen-2.6.18-8.1.10.el5.x86_64.rpm 3a8b8b9b9d7b800b3a3e3961bc8f341d kernel-xen-devel-2.6.18-8.1.10.el5.x86_64.rpm d834b7026996ac910111dc846ccc0275 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.18-8.1.10.el5.src.rpm 5f74582de33ce8b315880f6cb07311e6 IA-32: kernel-2.6.18-8.1.10.el5.i686.rpm 16b97bdb995aa6681170799312591c72 kernel-PAE-2.6.18-8.1.10.el5.i686.rpm a61584927192304a1d40b53745074085 kernel-PAE-devel-2.6.18-8.1.10.el5.i686.rpm b6d6df13e6c363a81ec28ac3afe46908 kernel-devel-2.6.18-8.1.10.el5.i686.rpm ed130904f07738efc3dabecd6fe68fe6 kernel-doc-2.6.18-8.1.10.el5.noarch.rpm af1b26b4f9e73c3af08b46688d5d2863 kernel-headers-2.6.18-8.1.10.el5.i386.rpm f81654a091ecedecbc2071ca620ec223 kernel-xen-2.6.18-8.1.10.el5.i686.rpm fb0eafb1c20fffc8612fb583bbd788e4 kernel-xen-devel-2.6.18-8.1.10.el5.i686.rpm bf53cbe6d13d2a7d107d1bd537ec3e94 x86_64: kernel-2.6.18-8.1.10.el5.x86_64.rpm 102de3dd8363c9985a0745ddb414e447 kernel-devel-2.6.18-8.1.10.el5.x86_64.rpm 0cf51a82f64803278f0dbf31c6af16aa kernel-doc-2.6.18-8.1.10.el5.noarch.rpm af1b26b4f9e73c3af08b46688d5d2863 kernel-headers-2.6.18-8.1.10.el5.x86_64.rpm b3646ed8c818f718261a95ca51a4752d kernel-xen-2.6.18-8.1.10.el5.x86_64.rpm 3a8b8b9b9d7b800b3a3e3961bc8f341d kernel-xen-devel-2.6.18-8.1.10.el5.x86_64.rpm d834b7026996ac910111dc846ccc0275 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 232260 - CVE-2007-1217 Overflow in CAPI subsystem 245773 - CVE-2007-2875 cpuset information leak 245774 - CVE-2007-2876 {ip, nf}_conntrack_sctp: remotely triggerable NULL ptr dereference 247726 - CVE-2007-2878 VFAT compat ioctls DoS on 64-bit 251185 - CVE-2007-3851 i965 DRM allows insecure packets 253313 - CVE-2007-3739 LTC36188-Don't allow the stack to grow into hugetlb reserved regions 253314 - CVE-2007-3740 CIFS should honor umask 253315 - CVE-2007-3843 CIFS signing sec= mount options don't work correctly References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3843 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3851 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0705-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-338: postfix-policy Vulnerability R-339: Quiksoft EasyMauil SMTP ActiveX Vulnerabilities R-340: Vulnerability in Microsoft Agent R-341: Vulnerability in Crystal Reports for Visual Studio R-342: Cisco Video Surveillance IP Gateway and Services Platform Authentication Vulnerabilities R-343: Vulnerability in MSN Messenger and Windows Live Messenger R-344: Vulnerability in Windows Services for UNIX R-345: ClamAV Vulnerabilities R-346: krb5 Vulnerability R-347: xorg-server Vulnerability