[PLUTO-security]
[Fwd: [RHSA-2003:172-00] Updated 2.4 kernel fixes security
vulnerabilities and various bugs]
Tom aka 'Dido'
tom at pluto.linux.it
Thu May 15 10:22:20 CEST 2003
Interessa?
-----Forwarded Message-----
> From: bugzilla a redhat.com
> To: redhat-watch-list a redhat.com, redhat-announce-list a redhat.com
> Subject: [RHSA-2003:172-00] Updated 2.4 kernel fixes security vulnerabilities and various bugs
> Date: 14 May 2003 14:51:00 -0400
>
> ---------------------------------------------------------------------
> Red Hat Security Advisory
>
> Synopsis: Updated 2.4 kernel fixes security vulnerabilities and various bugs
> Advisory ID: RHSA-2003:172-00
> Issue date: 2003-05-14
> Updated on: 2003-05-14
> Product: Red Hat Linux
> Keywords: dos
> Cross references: RHSA-2003-098 RHBA-2003-135
> Obsoletes: RHSA-2003-098 RHBA-2003-135
> CVE Names: CAN-2003-0244 CAN-2003-0246
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> Updated kernel packages that fix a remote denial of service vulnerability
> in the TCP/IP stack, and a local privilege vulnerability, are now available.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.1 - athlon, i386, i586, i686
> Red Hat Linux 7.2 - athlon, i386, i586, i686
> Red Hat Linux 7.3 - athlon, i386, i586, i686
> Red Hat Linux 8.0 - athlon, i386, i586, i686
> Red Hat Linux 9 - athlon, i386, i586, i686
>
> 3. Problem description:
>
> The Linux kernel handles the basic functions of the operating system.
>
> A flaw has been found in several hash table implementations in the kernel
> networking code. A remote attacker could send packets with carefully
> chosen, forged source addresses in such a way as to make every routing
> cache entry get hashed into the same hash chain. The result would be that
> the kernel would use a disproportionate amount of processor time to deal
> with new packets, resulting in a remote denial of service attack. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
> the name CAN-2003-0244 to this issue.
>
> A flaw has been found in the "ioperm" system call, which fails to properly
> restrict privileges. This flaw can allow an unprivileged local user to
> gain read and write access to I/O ports on the system. The Common
> Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
> CAN-2003-0246 to this issue.
>
> All users should upgrade to these updated packages, which are not
> vulnerable to these issues.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To use Red Hat Network to upgrade the kernel, launch the Red Hat Update
> Agent with the following command:
>
> up2date
>
> This will start an interactive process that will result in the appropriate
> RPMs being upgraded on your system. Note that you need to select the
> kernel explicitly if you are using the default configuration of up2date.
>
> To install kernel packages manually, use "rpm -ivh <package>" and
> modify system settings to boot the kernel you have installed. To
> do this, edit /boot/grub/grub.conf and change the default entry to
> "default=0" (or, if you have chosen to use LILO as your boot loader,
> edit /etc/lilo.conf and run lilo)
>
> Do not use "rpm -Uvh" as that will remove your running kernel binaries
> from your system. You may use "rpm -e" to remove old kernels after
> determining that the new kernel functions properly on your system.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
> 89743 - usb-uhci Kernel freeze with one-shot interrupt transfers
> 81282 - No pcmcia devices found (HP OmniBook XT6050) after upgrade.
> 89686 - V.110 doesn't work with HFC_PCI cards.
> 89049 - ALi M5451 doesn't work
> 89732 - Installer hangs when loading aic7xxx module
> 89554 - Kernel needs dell inspiron 8500 support
> 88847 - Sound card AZT1008 not initialized by ad1848.o
> 86180 - orinoco_cs periodically drops connection with linksys wpc11v3
> 88550 - Acer 351tev fails loading trident.o module
> 88047 - /proc/<pid>/cmdline is empty
> 90276 - Some drivers are missing a copy_from_user() function call
>
> 6. RPMs required:
>
> Red Hat Linux 7.1:
>
> SRPMS:
> ftp://updates.redhat.com/7.1/en/os/SRPMS/kernel-2.4.20-13.7.src.rpm
>
> athlon:
> ftp://updates.redhat.com/7.1/en/os/athlon/kernel-2.4.20-13.7.athlon.rpm
> ftp://updates.redhat.com/7.1/en/os/athlon/kernel-smp-2.4.20-13.7.athlon.rpm
>
> i386:
> ftp://updates.redhat.com/7.1/en/os/i386/kernel-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.1/en/os/i386/kernel-source-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.1/en/os/i386/kernel-doc-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.1/en/os/i386/kernel-BOOT-2.4.20-13.7.i386.rpm
>
> i586:
> ftp://updates.redhat.com/7.1/en/os/i586/kernel-2.4.20-13.7.i586.rpm
> ftp://updates.redhat.com/7.1/en/os/i586/kernel-smp-2.4.20-13.7.i586.rpm
>
> i686:
> ftp://updates.redhat.com/7.1/en/os/i686/kernel-2.4.20-13.7.i686.rpm
> ftp://updates.redhat.com/7.1/en/os/i686/kernel-smp-2.4.20-13.7.i686.rpm
> ftp://updates.redhat.com/7.1/en/os/i686/kernel-bigmem-2.4.20-13.7.i686.rpm
>
> Red Hat Linux 7.2:
>
> SRPMS:
> ftp://updates.redhat.com/7.2/en/os/SRPMS/kernel-2.4.20-13.7.src.rpm
>
> athlon:
> ftp://updates.redhat.com/7.2/en/os/athlon/kernel-2.4.20-13.7.athlon.rpm
> ftp://updates.redhat.com/7.2/en/os/athlon/kernel-smp-2.4.20-13.7.athlon.rpm
>
> i386:
> ftp://updates.redhat.com/7.2/en/os/i386/kernel-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.2/en/os/i386/kernel-source-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.2/en/os/i386/kernel-doc-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.2/en/os/i386/kernel-BOOT-2.4.20-13.7.i386.rpm
>
> i586:
> ftp://updates.redhat.com/7.2/en/os/i586/kernel-2.4.20-13.7.i586.rpm
> ftp://updates.redhat.com/7.2/en/os/i586/kernel-smp-2.4.20-13.7.i586.rpm
>
> i686:
> ftp://updates.redhat.com/7.2/en/os/i686/kernel-2.4.20-13.7.i686.rpm
> ftp://updates.redhat.com/7.2/en/os/i686/kernel-smp-2.4.20-13.7.i686.rpm
> ftp://updates.redhat.com/7.2/en/os/i686/kernel-bigmem-2.4.20-13.7.i686.rpm
>
> Red Hat Linux 7.3:
>
> SRPMS:
> ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.20-13.7.src.rpm
>
> athlon:
> ftp://updates.redhat.com/7.3/en/os/athlon/kernel-2.4.20-13.7.athlon.rpm
> ftp://updates.redhat.com/7.3/en/os/athlon/kernel-smp-2.4.20-13.7.athlon.rpm
>
> i386:
> ftp://updates.redhat.com/7.3/en/os/i386/kernel-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.3/en/os/i386/kernel-source-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.3/en/os/i386/kernel-doc-2.4.20-13.7.i386.rpm
> ftp://updates.redhat.com/7.3/en/os/i386/kernel-BOOT-2.4.20-13.7.i386.rpm
>
> i586:
> ftp://updates.redhat.com/7.3/en/os/i586/kernel-2.4.20-13.7.i586.rpm
> ftp://updates.redhat.com/7.3/en/os/i586/kernel-smp-2.4.20-13.7.i586.rpm
>
> i686:
> ftp://updates.redhat.com/7.3/en/os/i686/kernel-2.4.20-13.7.i686.rpm
> ftp://updates.redhat.com/7.3/en/os/i686/kernel-smp-2.4.20-13.7.i686.rpm
> ftp://updates.redhat.com/7.3/en/os/i686/kernel-bigmem-2.4.20-13.7.i686.rpm
>
> Red Hat Linux 8.0:
>
> SRPMS:
> ftp://updates.redhat.com/8.0/en/os/SRPMS/kernel-2.4.20-13.8.src.rpm
> ftp://updates.redhat.com/8.0/en/os/SRPMS/oprofile-0.4-44.8.1.src.rpm
>
> athlon:
> ftp://updates.redhat.com/8.0/en/os/athlon/kernel-2.4.20-13.8.athlon.rpm
> ftp://updates.redhat.com/8.0/en/os/athlon/kernel-smp-2.4.20-13.8.athlon.rpm
>
> i386:
> ftp://updates.redhat.com/8.0/en/os/i386/kernel-2.4.20-13.8.i386.rpm
> ftp://updates.redhat.com/8.0/en/os/i386/kernel-source-2.4.20-13.8.i386.rpm
> ftp://updates.redhat.com/8.0/en/os/i386/kernel-doc-2.4.20-13.8.i386.rpm
> ftp://updates.redhat.com/8.0/en/os/i386/kernel-BOOT-2.4.20-13.8.i386.rpm
> ftp://updates.redhat.com/8.0/en/os/i386/oprofile-0.4-44.8.1.i386.rpm
>
> i586:
> ftp://updates.redhat.com/8.0/en/os/i586/kernel-2.4.20-13.8.i586.rpm
> ftp://updates.redhat.com/8.0/en/os/i586/kernel-smp-2.4.20-13.8.i586.rpm
>
> i686:
> ftp://updates.redhat.com/8.0/en/os/i686/kernel-2.4.20-13.8.i686.rpm
> ftp://updates.redhat.com/8.0/en/os/i686/kernel-smp-2.4.20-13.8.i686.rpm
> ftp://updates.redhat.com/8.0/en/os/i686/kernel-bigmem-2.4.20-13.8.i686.rpm
>
> Red Hat Linux 9:
>
> SRPMS:
> ftp://updates.redhat.com/9/en/os/SRPMS/kernel-2.4.20-13.9.src.rpm
>
> athlon:
> ftp://updates.redhat.com/9/en/os/athlon/kernel-2.4.20-13.9.athlon.rpm
> ftp://updates.redhat.com/9/en/os/athlon/kernel-smp-2.4.20-13.9.athlon.rpm
>
> i386:
> ftp://updates.redhat.com/9/en/os/i386/kernel-2.4.20-13.9.i386.rpm
> ftp://updates.redhat.com/9/en/os/i386/kernel-source-2.4.20-13.9.i386.rpm
> ftp://updates.redhat.com/9/en/os/i386/kernel-doc-2.4.20-13.9.i386.rpm
> ftp://updates.redhat.com/9/en/os/i386/kernel-BOOT-2.4.20-13.9.i386.rpm
>
> i586:
> ftp://updates.redhat.com/9/en/os/i586/kernel-2.4.20-13.9.i586.rpm
> ftp://updates.redhat.com/9/en/os/i586/kernel-smp-2.4.20-13.9.i586.rpm
>
> i686:
> ftp://updates.redhat.com/9/en/os/i686/kernel-2.4.20-13.9.i686.rpm
> ftp://updates.redhat.com/9/en/os/i686/kernel-smp-2.4.20-13.9.i686.rpm
> ftp://updates.redhat.com/9/en/os/i686/kernel-bigmem-2.4.20-13.9.i686.rpm
>
<cut>
>
> 8. References:
>
> http://marc.theaimsgroup.com/?l=bk-commits-24&m=105217616607144&w=2
> http://bugzilla.kernel.org/show_bug.cgi?id=703
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0246
>
> 9. Contact:
>
> The Red Hat security contact is <security a redhat.com>. More contact
> details at http://www.redhat.com/solutions/security/news/contact/
>
> Copyright 2003 Red Hat, Inc.
>
More information about the pluto-security
mailing list