Re: [Full-Disclosure] [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities

From: Steffen Kluge (kluge@fujitsu.com.au)
Date: 03/25/03

  • Next message: Daniel Ahlberg: "[Full-Disclosure] GLSA: glibc (200303-22)" 
    From: Steffen Kluge <kluge@fujitsu.com.au>
To: full-disclosure@lists.netsys.com
Date: 25 Mar 2003 10:53:03 +1100

    # uname -mrs
    Linux 2.2.19 sparc
    # cat /etc/redhat-release
    Red Hat Linux release 6.2 (Zoot)
    # rpmbuild --rebuild kernel-2.2.24-6.2.3.src.rpm
    Installing kernel-2.2.24-6.2.3.src.rpm
    error: Architecture is not included: sparc

    What gives? Last time I checked RH6.2 supported sparc.
    Has that been silently dropped now as well? Did I
    miss something...?

    Cheers
    Steffen.

    On Thu, 2003-03-20 at 19:59, bugzilla@redhat.com wrote:
    > ---------------------------------------------------------------------
    > Red Hat Security Advisory
    >
    > Synopsis: New kernel 2.2 packages fix vulnerabilities
    > Advisory ID: RHSA-2003:088-01
    > Issue date: 2003-03-20
    > Updated on: 2003-03-20
    > Product: Red Hat Linux
    > Keywords: ethernet frame padding /proc/pid/mem
    > Cross references:
    > Obsoletes: RHSA-2002:264
    > CVE Names: CAN-2003-0001 CAN-2003-1380 CAN-2003-0127
    > ---------------------------------------------------------------------
    >
    > 1. Topic:
    >
    > Updated kernel packages for Red Hat Linux 6.2 and 7.0 are now available
    > that fix several security vulnerabilities.
    >
    > 2. Relevant releases/architectures:
    >
    > Red Hat Linux 6.2 - i386, i586, i686
    > Red Hat Linux 7.0 - i386, i586, i686
    >
    > 3. Problem description:
    >
    > The Linux kernel handles the basic functions of the operating system.
    >
    > A bug in the kernel module loader code allows a local user to gain root
    > privileges. The Common Vulnerabilities and Exposures project
    > (cve.mitre.org) has assigned the name CAN-2003-0127 to this issue.
    >
    > Multiple ethernet Network Interface Card (NIC) device drivers do not pad
    > frames with null bytes, which allows remote attackers to obtain information
    > from previous packets or kernel memory by using malformed packets. The
    > Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
    > the name CAN-2003-0001 to this issue.
    >
    > The Linux 2.2 kernel allows local users to cause a denial of service
    > (crash) by using the mmap() function with a PROT_READ parameter to access
    > non-readable memory pages through the /proc/pid/mem interface. The
    > Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
    > the name CAN-2002-1380 to this issue.
    >
    > All users of Red Hat Linux 6.2 and 7 should upgrade to these errata
    > packages, which contain version 2.2.24 of the Linux kernel with patches and
    > are not vulnerable to these issues.
    >
    > 4. Solution:
    >
    > Before applying this update, make sure all previously released errata
    > relevant to your system have been applied.
    >
    > The procedure for upgrading the kernel is documented at:
    >
    > http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html
    >
    > Please read the directions for your architecture carefully before
    > proceeding with the kernel upgrade.
    >
    > Please note that this update is also available via Red Hat Network. Many
    > people find this to be an easier way to apply updates. To use Red Hat
    > Network, launch the Red Hat Update Agent with the following command:
    >
    > up2date
    >
    > This will start an interactive process that will result in the appropriate
    > RPMs being upgraded on your system. Note that you need to select the kernel
    > explicitly on default configurations of up2date.
    >
    > 5. RPMs required:
    >
    > Red Hat Linux 6.2:
    >
    > SRPMS:
    > ftp://updates.redhat.com/6.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm
    >
    > i386:
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-smp-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-BOOT-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-ibcs-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-utils-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-pcmcia-cs-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-doc-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-headers-2.2.24-6.2.3.i386.rpm
    > ftp://updates.redhat.com/6.2/en/os/i386/kernel-source-2.2.24-6.2.3.i386.rpm
    >
    > i586:
    > ftp://updates.redhat.com/6.2/en/os/i586/kernel-smp-2.2.24-6.2.3.i586.rpm
    > ftp://updates.redhat.com/6.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpm
    >
    > i686:
    > ftp://updates.redhat.com/6.2/en/os/i686/kernel-enterprise-2.2.24-6.2.3.i686.rpm
    > ftp://updates.redhat.com/6.2/en/os/i686/kernel-smp-2.2.24-6.2.3.i686.rpm
    > ftp://updates.redhat.com/6.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpm
    >
    > Red Hat Linux 7.0:
    >
    > SRPMS:
    > ftp://updates.redhat.com/7.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm
    >
    > i386:
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-smp-2.2.24-7.0.3.i386.rpm
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpm
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-BOOT-2.2.24-7.0.3.i386.rpm
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-ibcs-2.2.24-7.0.3.i386.rpm
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-utils-2.2.24-7.0.3.i386.rpm
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-pcmcia-cs-2.2.24-7.0.3.i386.rpm
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-doc-2.2.24-7.0.3.i386.rpm
    > ftp://updates.redhat.com/7.0/en/os/i386/kernel-source-2.2.24-7.0.3.i386.rpm
    >
    > i586:
    > ftp://updates.redhat.com/7.0/en/os/i586/kernel-smp-2.2.24-7.0.3.i586.rpm
    > ftp://updates.redhat.com/7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm
    >
    > i686:
    > ftp://updates.redhat.com/7.0/en/os/i686/kernel-enterprise-2.2.24-7.0.3.i686.rpm
    > ftp://updates.redhat.com/7.0/en/os/i686/kernel-smp-2.2.24-7.0.3.i686.rpm
    > ftp://updates.redhat.com/7.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm
    >
    >
    >
    > 6. Verification:
    >
    > MD5 sum Package Name
    > --------------------------------------------------------------------------
    > e75a158ad3428385d80db17358c01d72 6.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm
    > 7c8137e737a20ce12528264742f1cf29 6.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpm
    > 4d98b8669950a871a4f604955b8fdcd2 6.2/en/os/i386/kernel-BOOT-2.2.24-6.2.3.i386.rpm
    > 169d7580f048e5ac4f97b60794182234 6.2/en/os/i386/kernel-doc-2.2.24-6.2.3.i386.rpm
    > c0ad13a3bd0f5c97cd6c776c8c4d2506 6.2/en/os/i386/kernel-headers-2.2.24-6.2.3.i386.rpm
    > 4a7ac11d656242c86cb5c1a4630f1b7a 6.2/en/os/i386/kernel-ibcs-2.2.24-6.2.3.i386.rpm
    > 3c99049af4f8807ea107cbf5eb3a1838 6.2/en/os/i386/kernel-pcmcia-cs-2.2.24-6.2.3.i386.rpm
    > da7c86e906fe8a5dfdccd5472e4b7264 6.2/en/os/i386/kernel-smp-2.2.24-6.2.3.i386.rpm
    > 826eb077660afb473e46d88a660a6f1c 6.2/en/os/i386/kernel-source-2.2.24-6.2.3.i386.rpm
    > d069a463fe21bab5f76f02a31502123e 6.2/en/os/i386/kernel-utils-2.2.24-6.2.3.i386.rpm
    > eb349334ef125e741a85a8e869e7b523 6.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpm
    > adc808ed4014edaa4d4b010ddac4309c 6.2/en/os/i586/kernel-smp-2.2.24-6.2.3.i586.rpm
    > 321dbf853a0cb81c8170459f8fc97893 6.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpm
    > e1750055ee17c7d57816f7ca8f3ccd2d 6.2/en/os/i686/kernel-enterprise-2.2.24-6.2.3.i686.rpm
    > 76e6f3fe66df3ed6860264abe5a18de8 6.2/en/os/i686/kernel-smp-2.2.24-6.2.3.i686.rpm
    > 49e5f301b4cddb0ede8e4debf749d284 7.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm
    > 7848dce7df9d50b7b4559f9e3f6cf9a1 7.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpm
    > 3e16df51fe2cb5d4d2d452f48a8467f1 7.0/en/os/i386/kernel-BOOT-2.2.24-7.0.3.i386.rpm
    > 5868fb09b963014bb7d6af0b0f07b6c0 7.0/en/os/i386/kernel-doc-2.2.24-7.0.3.i386.rpm
    > 511ca20d6c01b4c631b8878bfc4cc76e 7.0/en/os/i386/kernel-ibcs-2.2.24-7.0.3.i386.rpm
    > e05486b8be3252fa24dbfbccae7c539e 7.0/en/os/i386/kernel-pcmcia-cs-2.2.24-7.0.3.i386.rpm
    > 98b15116f2e5d623357e6f008118fcd5 7.0/en/os/i386/kernel-smp-2.2.24-7.0.3.i386.rpm
    > 837c9b0986e9762a01756d169d96705d 7.0/en/os/i386/kernel-source-2.2.24-7.0.3.i386.rpm
    > 1086439f7e649ca231a7074aa1273a80 7.0/en/os/i386/kernel-utils-2.2.24-7.0.3.i386.rpm
    > f0e5f6db3bfd8852c1869b70b9b1229f 7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm
    > 72def97b1db6f807bd98bc2513807de9 7.0/en/os/i586/kernel-smp-2.2.24-7.0.3.i586.rpm
    > a134b4ed1db1733842e1206ace192825 7.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm
    > 5adeaf42c35a3b350623667e4026980e 7.0/en/os/i686/kernel-enterprise-2.2.24-7.0.3.i686.rpm
    > ef79dfd39815de20ae4a435341ec195c 7.0/en/os/i686/kernel-smp-2.2.24-7.0.3.i686.rpm
    >
    >
    > These packages are GPG signed by Red Hat, Inc. for security. Our key
    > is available at http://www.redhat.com/about/contact/pgpkey.html
    >
    > You can verify each package with the following command:
    >
    > rpm --checksig -v <filename>
    >
    > If you only wish to verify that each package has not been corrupted or
    > tampered with, examine only the md5sum with the following command:
    >
    > md5sum <filename>
    >
    >
    > 7. References:
    >
    > http://www.atstake.com/research/advisories/2003/a010603-1.txt
    > http://marc.theaimsgroup.com/?l=bugtraq&m=104033054204316
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1380
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127
    >
    > 8. Contact:
    >
    > The Red Hat security contact is <security@redhat.com>. More contact
    > details at http://www.redhat.com/solutions/security/news/contact.html
    >
    > Copyright 2003 Red Hat, Inc.
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Daniel Ahlberg: "[Full-Disclosure] GLSA: glibc (200303-22)"

    Relevant Pages