lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4a8b26d7.KklvuoeH8eiwQob9%announce-noreply@rpath.com>
Date: Tue, 18 Aug 2009 18:10:31 -0400
From: rPath Update Announcements <announce-noreply@...th.com>
To: product-announce@...ts.rpath.com, product-announce@...ts.rpath.com,
	security-announce@...ts.rpath.com, update-announce@...ts.rpath.com
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk, vulnwatch@...nwatch.org,
	bugtraq@...urityfocus.com
Subject: rPSA-2009-0121-1 kernel open-vm-tools

rPath Security Advisory: 2009-0121-1
Published: 2009-08-18
Products:
    rPath Appliance Platform Linux Service 1
    rPath Appliance Platform Linux Service 2
    rPath Linux 2

Rating: Minor
Exposure Level Classification:
    Local Root Deterministic Unauthorized Access
Updated Versions:
    kernel=conary.rpath.com@rpl:2/2.6.29.6-0.6-1
    kernel=rap.rpath.com@...th:linux-1/2.6.29.6-7-1
    open-vm-tools=conary.rpath.com@rpl:2/2009.07.22_179896-0.2-1
    open-vm-tools=rap.rpath.com@...th:linux-1/2009.07.22_179896-2-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-3102
    https://issues.rpath.com/browse/RPL-3103

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2962

Description:
    Previous versions of the kernel have a weakness which in a non-default
    configuration (if vm.mmap_min_addr is 0) allows normal users processes
    to execute arbitrary code as the root user.  rPath Linux is configured
    by default with vm.mmap_min_addr=65536 and so is not vulnerable
    by default.  Furthermore, rPath Linux does not include two other
    mechanisms by which this vulnerability has been exploited (pulseaudio
    and SELinux policy permitting access to address 0).
    
    In addition, the open-vm-tools package (including kernel modules)
    has been updated to the most recent upstream release for continued
    compatibility with new VMware hosts.  In addition, this enables user
    programs to use the libraries included in open-vm-tools.  However,
    the library interfaces included in open-vm-tools are not being
    maintained by rPath as a stable library interface; future updates of
    the open-vm-tools package will follow whatever changes have been made
    in the upstream open-vm-tools package to the open-vm-tools libraries,
    even if those changes are incompatible with the current versions.

http://wiki.rpath.com/Advisories:rPSA-2009-0121

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ