[Full-Disclosure] [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities

From: bugzilla@redhat.com
Date: 03/20/03

  • Next message: Daniel Ahlberg: "[Full-Disclosure] GLSA: openssl (200303-15)"
    From: bugzilla@redhat.com
    To: redhat-watch-list@redhat.com, redhat-announce-list@redhat.com
    Date: Thu, 20 Mar 2003 03:59 -0500
    

    ---------------------------------------------------------------------
                       Red Hat Security Advisory

    Synopsis: New kernel 2.2 packages fix vulnerabilities
    Advisory ID: RHSA-2003:088-01
    Issue date: 2003-03-20
    Updated on: 2003-03-20
    Product: Red Hat Linux
    Keywords: ethernet frame padding /proc/pid/mem
    Cross references:
    Obsoletes: RHSA-2002:264
    CVE Names: CAN-2003-0001 CAN-2003-1380 CAN-2003-0127
    ---------------------------------------------------------------------

    1. Topic:

    Updated kernel packages for Red Hat Linux 6.2 and 7.0 are now available
    that fix several security vulnerabilities.

    2. Relevant releases/architectures:

    Red Hat Linux 6.2 - i386, i586, i686
    Red Hat Linux 7.0 - i386, i586, i686

    3. Problem description:

    The Linux kernel handles the basic functions of the operating system.

    A bug in the kernel module loader code allows a local user to gain root
    privileges. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CAN-2003-0127 to this issue.

    Multiple ethernet Network Interface Card (NIC) device drivers do not pad
    frames with null bytes, which allows remote attackers to obtain information
    from previous packets or kernel memory by using malformed packets. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
    the name CAN-2003-0001 to this issue.

    The Linux 2.2 kernel allows local users to cause a denial of service
    (crash) by using the mmap() function with a PROT_READ parameter to access
    non-readable memory pages through the /proc/pid/mem interface. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
    the name CAN-2002-1380 to this issue.

    All users of Red Hat Linux 6.2 and 7 should upgrade to these errata
    packages, which contain version 2.2.24 of the Linux kernel with patches and
    are not vulnerable to these issues.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    The procedure for upgrading the kernel is documented at:

    http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html

    Please read the directions for your architecture carefully before
    proceeding with the kernel upgrade.

    Please note that this update is also available via Red Hat Network. Many
    people find this to be an easier way to apply updates. To use Red Hat
    Network, launch the Red Hat Update Agent with the following command:

    up2date

    This will start an interactive process that will result in the appropriate
    RPMs being upgraded on your system. Note that you need to select the kernel
    explicitly on default configurations of up2date.

    5. RPMs required:

    Red Hat Linux 6.2:

    SRPMS:
    ftp://updates.redhat.com/6.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm

    i386:
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-smp-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-BOOT-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-ibcs-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-utils-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-pcmcia-cs-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-doc-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-headers-2.2.24-6.2.3.i386.rpm
    ftp://updates.redhat.com/6.2/en/os/i386/kernel-source-2.2.24-6.2.3.i386.rpm

    i586:
    ftp://updates.redhat.com/6.2/en/os/i586/kernel-smp-2.2.24-6.2.3.i586.rpm
    ftp://updates.redhat.com/6.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpm

    i686:
    ftp://updates.redhat.com/6.2/en/os/i686/kernel-enterprise-2.2.24-6.2.3.i686.rpm
    ftp://updates.redhat.com/6.2/en/os/i686/kernel-smp-2.2.24-6.2.3.i686.rpm
    ftp://updates.redhat.com/6.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpm

    Red Hat Linux 7.0:

    SRPMS:
    ftp://updates.redhat.com/7.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm

    i386:
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-smp-2.2.24-7.0.3.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-BOOT-2.2.24-7.0.3.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-ibcs-2.2.24-7.0.3.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-utils-2.2.24-7.0.3.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-pcmcia-cs-2.2.24-7.0.3.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-doc-2.2.24-7.0.3.i386.rpm
    ftp://updates.redhat.com/7.0/en/os/i386/kernel-source-2.2.24-7.0.3.i386.rpm

    i586:
    ftp://updates.redhat.com/7.0/en/os/i586/kernel-smp-2.2.24-7.0.3.i586.rpm
    ftp://updates.redhat.com/7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm

    i686:
    ftp://updates.redhat.com/7.0/en/os/i686/kernel-enterprise-2.2.24-7.0.3.i686.rpm
    ftp://updates.redhat.com/7.0/en/os/i686/kernel-smp-2.2.24-7.0.3.i686.rpm
    ftp://updates.redhat.com/7.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm

    6. Verification:

    MD5 sum Package Name
    --------------------------------------------------------------------------
    e75a158ad3428385d80db17358c01d72 6.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm
    7c8137e737a20ce12528264742f1cf29 6.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpm
    4d98b8669950a871a4f604955b8fdcd2 6.2/en/os/i386/kernel-BOOT-2.2.24-6.2.3.i386.rpm
    169d7580f048e5ac4f97b60794182234 6.2/en/os/i386/kernel-doc-2.2.24-6.2.3.i386.rpm
    c0ad13a3bd0f5c97cd6c776c8c4d2506 6.2/en/os/i386/kernel-headers-2.2.24-6.2.3.i386.rpm
    4a7ac11d656242c86cb5c1a4630f1b7a 6.2/en/os/i386/kernel-ibcs-2.2.24-6.2.3.i386.rpm
    3c99049af4f8807ea107cbf5eb3a1838 6.2/en/os/i386/kernel-pcmcia-cs-2.2.24-6.2.3.i386.rpm
    da7c86e906fe8a5dfdccd5472e4b7264 6.2/en/os/i386/kernel-smp-2.2.24-6.2.3.i386.rpm
    826eb077660afb473e46d88a660a6f1c 6.2/en/os/i386/kernel-source-2.2.24-6.2.3.i386.rpm
    d069a463fe21bab5f76f02a31502123e 6.2/en/os/i386/kernel-utils-2.2.24-6.2.3.i386.rpm
    eb349334ef125e741a85a8e869e7b523 6.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpm
    adc808ed4014edaa4d4b010ddac4309c 6.2/en/os/i586/kernel-smp-2.2.24-6.2.3.i586.rpm
    321dbf853a0cb81c8170459f8fc97893 6.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpm
    e1750055ee17c7d57816f7ca8f3ccd2d 6.2/en/os/i686/kernel-enterprise-2.2.24-6.2.3.i686.rpm
    76e6f3fe66df3ed6860264abe5a18de8 6.2/en/os/i686/kernel-smp-2.2.24-6.2.3.i686.rpm
    49e5f301b4cddb0ede8e4debf749d284 7.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm
    7848dce7df9d50b7b4559f9e3f6cf9a1 7.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpm
    3e16df51fe2cb5d4d2d452f48a8467f1 7.0/en/os/i386/kernel-BOOT-2.2.24-7.0.3.i386.rpm
    5868fb09b963014bb7d6af0b0f07b6c0 7.0/en/os/i386/kernel-doc-2.2.24-7.0.3.i386.rpm
    511ca20d6c01b4c631b8878bfc4cc76e 7.0/en/os/i386/kernel-ibcs-2.2.24-7.0.3.i386.rpm
    e05486b8be3252fa24dbfbccae7c539e 7.0/en/os/i386/kernel-pcmcia-cs-2.2.24-7.0.3.i386.rpm
    98b15116f2e5d623357e6f008118fcd5 7.0/en/os/i386/kernel-smp-2.2.24-7.0.3.i386.rpm
    837c9b0986e9762a01756d169d96705d 7.0/en/os/i386/kernel-source-2.2.24-7.0.3.i386.rpm
    1086439f7e649ca231a7074aa1273a80 7.0/en/os/i386/kernel-utils-2.2.24-7.0.3.i386.rpm
    f0e5f6db3bfd8852c1869b70b9b1229f 7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm
    72def97b1db6f807bd98bc2513807de9 7.0/en/os/i586/kernel-smp-2.2.24-7.0.3.i586.rpm
    a134b4ed1db1733842e1206ace192825 7.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm
    5adeaf42c35a3b350623667e4026980e 7.0/en/os/i686/kernel-enterprise-2.2.24-7.0.3.i686.rpm
    ef79dfd39815de20ae4a435341ec195c 7.0/en/os/i686/kernel-smp-2.2.24-7.0.3.i686.rpm

    These packages are GPG signed by Red Hat, Inc. for security. Our key
    is available at http://www.redhat.com/about/contact/pgpkey.html

    You can verify each package with the following command:
        
        rpm --checksig -v <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the md5sum with the following command:
        
        md5sum <filename>

    7. References:

    http://www.atstake.com/research/advisories/2003/a010603-1.txt
    http://marc.theaimsgroup.com/?l=bugtraq&m=104033054204316
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1380
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127

    8. Contact:

    The Red Hat security contact is <security@redhat.com>. More contact
    details at http://www.redhat.com/solutions/security/news/contact.html

    Copyright 2003 Red Hat, Inc.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Daniel Ahlberg: "[Full-Disclosure] GLSA: openssl (200303-15)"

    Relevant Pages