Security update for the Linux kernel
(Last modified: 05JUN2007)
solutions Security update for the Linux kernel SuSE Linux Maintenance Web (bd16f566b869a29489f5fbc7c16bddd0)
Product(s): Novell Linux Desktop 9 for x86
Open Enterprise Server
- CVE-2006-2936: The ftdi_sio driver allowed local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. This requires this driver to be loaded, which only happens if such a device is plugged in.
- CVE-2006-5871: smbfs when UNIX extensions are enabled, ignores certain mount options, which could cause clients to use server-specified uid, gid and mode settings.
- CVE-2006-6106: Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field.
- CVE-2006-6535: The dev_queue_xmit function in Linux kernel 2.6 can fail before calling the local_bh_disable function, which could lead to data corruption and "node lockups". This issue might not be exploitable at all for an attacker.
- CVE-2006-5749: The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux kernel does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash.
- CVE-2006-5753: Unspecified vulnerability in the listxattr system call in Linux kernel, when a "bad inode" is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges.
- CVE-2006-5754: The aio_setup_ring function in Linux kernel does not properly initialize a variable, which allows local users to cause a denial of service (crash).
- CVE-2007-1357: A denial of service problem against the AppleTalk protocol was fixed. A remote attacker in the same AppletTalk network segment could cause the machine to crash if it has AppleTalk protocol loaded.
- CVE-2007-1592: A local user could affect a double-free of a ipv6 structure potentially causing a local denial of service attack.
- A local denial of service was fixed in the USB visor driver, where local attackers could cause a huge amount of kernel memory to be allocated and so run the machine out of memory.
- CVE-2007-1353: The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function acces sing an uninitialized stack buffer.
- CVE-2006-7203: The compat_sys_mount function in fs/compat.c allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode ("mount -t smbfs").
- patches.fixes/ia64-accessed-dirty-race-fix: Fix race in the accessed/dirty bit handlers. [#63321]
- patches.fixes/dm-mpath-emc-status-fix: emc multipath hw handler does not return its status. [#96836]
- patches.suse/nfs-write-limit: Make suggested values the default so that benefit of this patch is available without tuning. [#162604]
- patches.fixes/bdev-imapping-race.diff: Fix race between sync_single_inode() and iput() [#172493] [#188950]
- patches.fixes/mp_uart_backup_timer.patch: 8250 UART backup timer fix. [#188701]
- patches.arch/x86_64-smphalt: Fix race in shutdown that can lead to hangs. [#193735]
- patches.fixes/cciss-cpq-disk-stats: Update disk statistics for cciss and cpqarray devices. [#202124] [#209773]
- patches.fixes/usb-hid-203911-event-field-not-found.diff: backport of a surpression of a warning from newer kernels. [#203911]
- patches.fixes/fs-rewrite-remove_arg_zero: If necessary, free pages when removing arg zero during exec. [#204281]
- patches.suse/lkcd-allocate-isa-bounce-pool: LKCD running out of memory during dump [#204316]
- patches.fixes/xfs-fix-inode-i_sem-counter-problem.diff: Fix inode i_sem count problem. [#205154]
- patches.fixes/dio_should_wait-zab1.patch: aio/dio: fix another refcount bug. [#207588]
- patches.fixes/ptrace-signal-race: Fix ptracer race condition to prevent BUG_ON in do_notify_parent. [#210680] [#260338]
- patches.fixes/raw-dont-call-device-remove-on-bind: raw device file disappears after binding by using raw command [#211211]
- patches.fixes/sunrpc-busy-atomic: test and set SK_BUSY atomically. [#211839]
- patches.arch/x86_64-intel-disable-smi: Allow to disable most SMI interrupts on a Intel chipset [#212086]
- patches.arch/woodcrest_est_x64_short: Support Intel Woodcrest and Conroe CPUs. [#216747]
- patches.arch/x86_64-ia32-stack-account: Correct x86_64 stack accounting for ia32 binaries. [#221174]
- patches.fixes/cciss-fifo-full.patch: set maximum number of commands according to the kind of the controller. [#221453]
- patches.suse/dynamic-timeslice: Updated to prevent an overflow leading to an oops when max_timeslice is set too high. [#222334] 32-bit architectures are still affected though.
- ipatches.fixes/swapfile-no-i_sem.diff: Don't hold i_sem on swapfiles. [#222533]
- patches.fixes/scsi-devinfo-hitachi-update: LVM UUID fails after LVM update. [#223287]
- patches.fixes/refill-inactive-irq-latency-can_writepage: avoid can_writepag slowdowns. [#224664]
- patches.drivers/libata-prepare-for-adhoc-working-EH: libata: prepare for ad-hoc working EH [#225378] [#236219]
- patches.drivers/libata-ata_piix-adhoc-EH: ata_piix: implement ad-hoc EH. [#236219]
- patches.drivers/libata-sata_promise-adhoc-EH: sata_promise: implement ad-hoc EH. [#225378]
- patches.fixes/nfs-silly-delete-fix: avoid BUG when mount -f on nfs filesystem with pending silly-delete. [#226717]
- patches.fixes/bonding-arpmon-2: Send only one ARP probe when using bonding with ARP monitoring [#226764]
- patches.fixes/ext3-bread-find-entry-fix.diff: ext3: Fix ext3_bread and ext3_find_entry. [#228682] [#235302] [#251174]
- patches.fixes/reiserfs-readahead-fix.diff: reiser: fix problem when READA returns EAGAIN. [#228682] [#235302] [#249272] [#251174]
- patches.fixes/udf-readahead-fix.diff: udf: replace READA by READ. [#228682] [#235302] [#251174]
- patches.fixes/fix-ext3-kmalloc-flags-with-journal-handle.diff: ext3: use GFP_NOFS when allocating memory with an open journal handle. [#228694]
- patches.fixes/sunrpc-listen-race: knfsd: Fix race that can disable NFS server. [#230287]
- patches.fixes/nfs-jiffie-wrap: Avoid extra GETATTR calls caused by 'jiffie wrap'. [#233155]
- patches.arch/ibm-ppc64-lparcfg-quiet.patch Quieten lparcfg. [#233668]
- patches.fixes/do_notify_parent_cldstop-deadlock: fix a deadlock in do_notify_parent_cldstop() [#237532]
- patches.fixes/xfs-kern-28000a-buffer-unwritten-new: Set the buffer new flag on writes to unwritten XFS extents. This fixes a corruption in preallocated files on XFS. [#237843]
- patches.fixes/net-llc-fixup: [LLC]: Use pskb_trim_rcsum() in llc_fixup_skb(). [#238198]
- patches.fixes/firewire_swiotlb.patch: make sure firewire doesn't bomb on systems with a lot of ram but no iommu. [#243270]
- patches.suse/scsi-add-DID_COND_REQUEUE: SLES 9 SP3 mptscsi device driver doesn't work with IBM SVC [#243958]
- patches.fixes/xfs-use-new-i_flags_lock-to-protect-i_flags: XFS inode use after free, trips BUG() in generic_delete_inode() [#179117] [#247120]
- patches.fixes/nfsd-crossmnt-fix: Protect reference to exp across calls to nfsd_cross_mnt. [#251168]
- patches.suse/LAuS-kernel: Updated minor number to remove clash with TPM LKM. [#253940]
- patches.drivers/ide-via82cxxx-sync-PCI-IDs-to-upstream: via82cxxx: sync PCI IDs to upstream. [#254158]
- Check for mkinitrd failues in the %post script. [#255360]
- patches.fixes/lockd-flush-signals: Allow lockd to unregister with portmap. [#255811]
- patches.fixes/dio-shortread-over-hole-at-eof: fix O_DIRECT read of last block in a sparse file. [#257118]
- patches.fixes/reiserfs-fix-vs-13060.diff: fix corruption with vs-13060. [#257735]
- patches.fixes/ext3-GFP_NOFS-for-symlinks.diff: ext3_symlink should use GFP_NOFS allocations inside. [#259497]
- patches.fixes/xfs-flush_invalidate_dirty_pages_direct_read.diff: Flush and invalidate dirty pages at start of direct read. [#263366]
- patches.fixes/i386-microcode.diff: x86 microcode: don't check the size. [#266887] [#266888]
- patches.fixes/fix-posix_locks_deadlock: Fix a deadlock with POSIX deadlock detection. [#272738]
First, find out which kernel package to download and use, for example with
rpm -qf /boot/vmlinuz
Download the kernel image fitting your setup and the kernel symbols (kernel-syms*.rpm) and install it with either:
- rpm -Fvh kernel-syms*.rpm kernel-default*.rpm for the default kernel image, or
- rpm -Fhv kernel-syms*.rpm kernel-smp*.rpm for the SMP kernel image with support for up to 64 GB, or
- rpm -Fhv kernel-syms*.rpm kernel-bigsmp*.rpm for the SMP kernel image with support for up to 64 GB
In case you are using LILO as bootmanager, please make sure that you also execute the command
after installing the update for the system to remain bootable.
Finally, reboot the system with
shutdown -r now
to load the new kernel (replace "now" with the appropriate amount of time to allow local users to cleanly log out, for example "+5" for five minutes.)
Download Source Packages
Download the source code of the patches for maintained products.
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.