Security update for Linux kernel
(Last modified: 06DEC2005)
solutions Security update for Linux kernel
SuSE Linux Maintenance Web (c7050141b3702832a32e74185b621254)
Product(s): SUSE CORE 9 for x86
Novell Linux Desktop 9 for x86
Novell Linux POS 9
Note: This is the last kernel update for the Service Pack 2 level kernel and contains a roll-up of PTF and security fixes.
It will be followed in 2 weeks by the kernel update for Service Pack 3, containing a lot of driver updates and features. Since you likely want to test Service Pack 3 extensively before deploying, this rollup update has been done for the time inbetween.
Parts of those fixes have already been released for the S/390 platforms.
It contains the following security fixes:
- CVE-2005-3783: A check in ptrace(2) handling that finds out if a process is attaching to itself was incorrect and could be used by a local attacker to crash the machine.
- CVE-2005-3784: A check in reaping of terminating child processes did not consider ptrace(2) attached processes and would leave a ptrace reference dangling. This could lead to a local user being able to crash the machine.
- CVE-2005-2973: An infinite loop in the IPv6 UDP loopback handling can be easily triggered by a local user and lead to a denial of service.
- CVE-2005-3806: A bug in IPv6 flowlabel handling code could be used by a local attacker to free non-allocated memory and in turn corrupt kernel memory and likely crash the machine.
- CVE-2005-3055: Unplugging an userspace controlled USB device with an URB pending in userspace could crash the kernel. This can be easily triggered by local attacker.
- CVE-2005-3180: Fixed incorrect padding in orinoco wireless driver, which could expose kernel data to the air.
- CVE-2005-3044: Missing sockfd_put() calls in routing_ioctl() leaked file handles which in turn could exhaust system memory.
- CVE-2005-3275: The NAT code in Linux kernel incorrectly declares a variable to be static, which allows remote attackers to cause a denial of service (memory corruption) by causing two packets for the same protocol to be NATed at the same time.
- CVE-2005-2490: A stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 and 2.4 allowed local users execute arbitrary code by calling sendmsg and modifying the message contents in another thread.
- CVE-2005-3110: A race condition in the ebtables netfilter module (ebtables.c), when running on an SMP system that is operating under a heavy load, might allow remote attackers to cause a denial of service (crash) via a series of packets that cause a value to be modified after it has been read but before it has been locked.
- CVE-2005-1041: A race condition when reading the /proc/net/route virtual file could be used by a local attacker to potentially crash the machine.
- CVE-2005-2800: A memory leak in the seq_file implemenetation in the SCSI procfs interface (sg.c) allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error.
- CVE-2005-2872: The ipt_recent module when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force.
- A memory leak in direct IO writing was fixed.
- Hangs on error conditions on reiserfs with ACL and QUOTA enabled were fixed.
- AMD64: A check for invalid page dirs in get_user_pages for vsyscall32 page was added.
- Various OCFS2 fixes were applied and OCFS2 upgraded to 1.0.5.
- Fixed the IP dst cache overrun problem.
- Fixed kernel deadlocks on shrinking inode caches.
- Make it possible to use the USB keyboard even with init=/bin/sh, by introducing a "usb-no-handoff" cmdline option.
- Export the symbol do_posix_clock_monotonic_gettime for external kernel modules.
- Removed a broken patch that could cause crashes on SCSI errors.
- Some small CKRM fixes.
- Fixed NFS xfs_iget shutdown.
- Avoid a deadlock in the get_user_pages function.
- Time occasionaly briefly jumps ahead 4294 seconds.
- Fixed a 64 bit issue in PPP/MPPE.
- Updated SIGKILL on OOM patch with suggestions by Kurt Garloff.
- Fixed some reiserfs endianness bugs on big endian machines.
- Added a Solaris VxFS compatibility fix in ACL handling.
- Fixed premature expiry of async packets on the IEEE1394 bus.
- Several XFS stability fixes were applied.
- Fixed an Oops in ethtool calls when a bcm5700 driven network device is down.
- Fixed a potential userspace memory corruption caused by the bcm5700 driver.
- Fix an RPC string decoding problem in NFS/lockd.
First, find out which kernel package to download and use, for example with
rpm -qf /boot/vmlinuz
Download the kernel image fitting your setup and the kernel symbols (kernel-syms*.rpm) and install it with either:
- rpm -Fvh kernel-syms*.rpm kernel-default*.rpm for the default kernel image, or
- rpm -Fhv kernel-syms*.rpm kernel-smp*.rpm for the SMP kernel image with support for up to 64 GB, or
- rpm -Fhv kernel-syms*.rpm kernel-bigsmp*.rpm for the SMP kernel image with support for up to 64 GB
In case you are using LILO as bootmanager, please make sure that you also execute the command
after installing the update for the system to remain bootable.
Finally, reboot the system with
shutdown -r now
to load the new kernel (replace "now" with the appropriate amount of time to allow local users to cleanly log out, for example "+5" for five minutes.)
Download Source Packages
Download the source code of the patches for maintained products.
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.