Updated kernel-utils packages fix setuid vulnerability

An updated kernel-utils package is available that removes the setuid bits
incorrectly assigned to the uml_net binary.

The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware.

The uml_net utility, a user mode linux (UML) utility, in the kernel-utils
packages that shipped with Red Hat Linux 8.0 incorrectly sets its uid to
the root user. This could allow local users to control certain network
interfaces, add and remove arp entries and routes, and put interfaces in
and out of promiscuous mode.

All users of the kernel-utils package should update to these errata
packages which contain a version of uml_net which does not setuid root.

Alternatively, as a work-around to this vulnerability, an administrator can
issue the following command as root:

chmod -s /usr/bin/uml_net

Red Hat would like to thank Johnny Robertson for alerting us to this issue.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Note that you must select kernel-utils explicitly on default configurations
of up2date.

83685 - uml_net executable allows users to do bad things

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0019

linux, mode, uml, user