[<prev] [next>] [day] [month] [year] [list]
Message-ID: <441A08AF.1020203@videotron.ca>
Date: Thu, 16 Mar 2006 19:54:07 -0500
From: Marc Deslauriers <marcdeslauriers@...eotron.ca>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [FLSA-2006:157459-4] Updated kernel packages fix
security issues
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated kernel packages fix security issues
Advisory ID: FLSA:157459-4
Issue date: 2006-03-16
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2002-2185 CVE-2005-2709 CVE-2005-3044
CVE-2005-3274 CVE-2005-3356 CVE-2005-3358
CVE-2005-3527 CVE-2005-3784 CVE-2005-3805
CVE-2005-3806 CVE-2005-3807 CVE-2005-3857
CVE-2005-4605 CVE-2006-0095 CVE-2006-0454
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated kernel packages that fix several security issues are now
available.
The Linux kernel handles the basic functions of the operating system.
2. Relevant releases/architectures:
Fedora Core 3 - i386, x86_64
3. Problem description:
These new kernel packages contain fixes for the security issues
described below:
- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)
- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)
- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)
- a race condition in ip_vs_conn_flush that allowed a local user to
cause a denial of service (CVE-2005-3274)
- a flaw in mq_open system call that allowed a local user to cause a
denial of service (crash) (CVE-2005-3356)
- a flaw in set_mempolicy that allowed a local user on some 64-bit
architectures to cause a denial of service (crash) (CVE-2005-3358)
- a race condition in do_coredump in signal.c that allowed a local user
to cause a denial of service (crash) (CVE-2005-3527)
- a flaw in the auto-reap of child processes that allowed a local user
to cause a denial of service (crash) (CVE-2005-3784)
- a flaw in the POSIX timer cleanup handling that allowed a local user
to cause a denial of service (crash) (CVE-2005-3805)
- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)
- a memory leak in the VFS file lease handling that allowed a local user
to cause a denial of service (CVE-2005-3807)
- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)
- a flaw in procfs handling that allowed a local user to read kernel
memory (CVE-2005-4605)
- a memory disclosure flaw in dm-crypt that allowed a local user to
obtain sensitive information about a cryptographic key (CVE-2006-0095)
- a flaw while constructing an ICMP response that allowed remote users
to cause a denial of service (crash) (CVE-2006-0454)
All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To install kernel packages manually, use "rpm -ivh <package>" and modify
system settings to boot the kernel you have installed. To do this, edit
/boot/grub/grub.conf and change the default entry to "default=0" (or, if
you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
run lilo)
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
Note that this may not automatically pull the new kernel in if you have
configured apt/yum to ignore kernels. If so, follow the manual
instructions above.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
6. RPMs required:
Fedora Core 3:
SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/kernel-2.6.12-2.3.legacy_FC3.src.rpm
i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i586.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i686.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i586.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i686.rpm
x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kernel-2.6.12-2.3.legacy_FC3.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
b9e37d94319ce74e98aa053d9da798437b979a5e
fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i586.rpm
e8698e932795b5a8c9ecc97e95fab42f55d71ac9
fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i686.rpm
58e7014a387ef6e17bf9f68d26eb1242a9dab3f2
fedora/3/updates/i386/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
d09fb6f194558505d8d52fb22a60420cd35a06f1
fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i586.rpm
640077c447f1ac5edf5e21000c916bb750006f84
fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i686.rpm
3341ee0cc5e61d464a9982a5f96ec802d9121965
fedora/3/updates/x86_64/kernel-2.6.12-2.3.legacy_FC3.x86_64.rpm
58e7014a387ef6e17bf9f68d26eb1242a9dab3f2
fedora/3/updates/x86_64/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
ab4a29a3ec0bceda378319476b6ce46613805f90
fedora/3/updates/x86_64/kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm
725204fe5e8fb35b54083be1a6757cc8be43cf9d
fedora/3/updates/SRPMS/kernel-2.6.12-2.3.legacy_FC3.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0454
9. Contact:
The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists