Skip to navigation

Security Advisory Important: kernel security and bug fix update

Advisory: RHSA-2010:0380-1
Type: Security Advisory
Severity: Important
Issued on: 2010-04-27
Last updated on: 2010-04-27
Affected Products: Red Hat Enterprise Linux EUS (v. 5.4.z server)
CVEs (cve.mitre.org): CVE-2009-4027
CVE-2009-4307
CVE-2010-0727
CVE-2010-1188

Details

Updated kernel packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 5.4 Extended Update Support.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

* a race condition was found in the mac80211 implementation, a framework
used for writing drivers for wireless devices. An attacker could trigger
this flaw by sending a Delete Block ACK (DELBA) packet to a target system,
resulting in a remote denial of service. Note: This issue only affected
users on 802.11n networks, and that also use the iwlagn driver with Intel
wireless hardware. (CVE-2009-4027, Important)

* a use-after-free flaw was found in the tcp_rcv_state_process() function
in the Linux kernel TCP/IP protocol suite implementation. If a system using
IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote
attacker could send an IPv6 packet to that system, causing a kernel panic
(denial of service). (CVE-2010-1188, Important)

* a flaw was found in the gfs2_lock() implementation. The GFS2 locking code
could skip the lock operation for files that have the S_ISGID bit
(set-group-ID on execution) in their mode set. A local, unprivileged user
on a system that has a GFS2 file system mounted could use this flaw to
cause a kernel panic (denial of service). (CVE-2010-0727, Moderate)

* a divide-by-zero flaw was found in the ext4 file system code. A local
attacker could use this flaw to cause a denial of service by mounting a
specially-crafted ext4 file system. (CVE-2009-4307, Low)

Bug fixes:

* if a program that calls posix_fadvise() were compiled on x86, and then
run on a 64-bit system, that program could experience various problems,
including performance issues and the call to posix_fadvise() failing,
causing the program to not run as expected or even abort. With this update,
when such programs attempt to call posix_fadvise() on 64-bit systems,
sys32_fadvise64() is called instead, which resolves this issue. This update
also fixes other 32-bit system calls that were mistakenly called on 64-bit
systems (including systems running the kernel-xen kernel). (BZ#569597)

* on some systems able to set a P-State limit via the BIOS, it was not
possible to set the limit to a higher frequency if the system was rebooted
while a low limit was set:
"/sys/devices/system/cpu/cpu[x]/cpufreq/scaling_max_freq" would retain the
low limit in these situations. With this update, limits are correctly set,
even after being changed after a system reboot. (BZ#569727)

* certain Intel ICH hardware (using the e1000e driver) has an NFS filtering
capability that did not work as expected, causing memory corruption, which
could lead to kernel panics, or other unexpected behavior. In a reported
case, a panic occurred when running NFS connection tests. This update
resolves this issue by disabling the filtering capability. (BZ#569797)

* if "open(/proc/[PID]/[xxxx])" was called at the same time the process was
exiting, the call would fail with an EINVAL error (an incorrect error for
this situation). With this update, the correct error, ENOENT, is returned
in this situation. (BZ#571362)

* multiqueue is used for transmitting data, but a single queue transmit
ON/OFF scheme was used. This led to a race condition on systems with the
bnx2x driver in situations where one queue became full, but not stopped,
and the other queue enabled transmission. With this update, only a single
queue is used. (BZ#576951)

* the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged
users from creating new memory mappings below the minimum address. The
sysctl value for mmap_min_addr could be changed by a process or user that
has an effective user ID (euid) of 0, even if the process or user does not
have the CAP_SYS_RAWIO capability. This update adds a capability check for
the CAP_SYS_RAWIO capability before allowing the mmap_min_addr value to be
changed. (BZ#577206)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Updated packages

Red Hat Enterprise Linux EUS (v. 5.4.z server)

SRPMS:
kernel-2.6.18-164.17.1.el5.src.rpm
File outdated by:  RHBA-2011:0956
    MD5: a19575df28692365baf69c9a5c3db0f3
SHA-256: f13110ef27f87cf05ffb1b56c681da2352f901d6027a26158211fb0b3fa0efda
 
IA-32:
kernel-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: 843d2ea99f7e7bac39d1f498dcf842bc
SHA-256: c0394a39420aa165c6990ff8376a570c5d54d51269e9e65c50892f956d6ae094
kernel-PAE-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: 54dc9e46fc5562cf78cb320578ec3311
SHA-256: e2ec3ae4e38ef4ff99b6452cdd4756f4861ebc3fdd56141847011c4c3afbd221
kernel-PAE-devel-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: 36ff7208645a20b82dc7f181ed57cc3a
SHA-256: 55881b2c4cb2801040285619ac1d105416e17dac899935e4da101915abfd275e
kernel-debug-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: d121b57b9dbe39c83a824058eaea2c79
SHA-256: e5d437c5294ec840c855bb77b38fa10891a0dafdc7c49e717b0973077cb74dd9
kernel-debug-devel-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: 3750a1583641aed832fc4e3cb6407d21
SHA-256: bef1ee50f233470d84f4961040b32f96555d0814617f6907524e9448c69a84ec
kernel-devel-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: ed9d799d268751cdfd4d05795cbfa93c
SHA-256: fe1e8a0f9083bd75255fd4bca8ac8c54ceadd512e1dab6d680a7e8f2448d7168
kernel-doc-2.6.18-164.17.1.el5.noarch.rpm
File outdated by:  RHBA-2011:0956
    MD5: acfa29b9f89ecca9066bcab3adc485cd
SHA-256: 3bc623ac2c32dd115cb1f1a3dcbd41518a2bdffbe313804d97f73c9383434508
kernel-headers-2.6.18-164.17.1.el5.i386.rpm
File outdated by:  RHBA-2011:0956
    MD5: 8d491aa571781ba905a5ed045ea673d1
SHA-256: 2a8800bcec8ac44d45970ff5b1973adbff3de2c7440ba3e5523d606102c2b254
kernel-xen-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: e1ce82838669dae4d5dd8692b6d2ee81
SHA-256: 2590870c1161a68a1005e517bd84c37c79902194e2da0cc5bdac5deefdb8b98c
kernel-xen-devel-2.6.18-164.17.1.el5.i686.rpm
File outdated by:  RHBA-2011:0956
    MD5: 8d49d0ef2922d17cb0e4593f8bcee26b
SHA-256: 6198c37faa043627432924f089923b865a2b93091f967b46a5846ebfe32ffee9
 
IA-64:
kernel-2.6.18-164.17.1.el5.ia64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 54d1499688a126e6c42d64fe9a114f5d
SHA-256: feb35475f728294b164e37535dd25c56c369252a9cc28122a5a851487b55e6c5
kernel-debug-2.6.18-164.17.1.el5.ia64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 80c032f38d4ea4709a29a7429f0a8126
SHA-256: f4d149fe4c552fd57f633b587ec53c3de08048df9ace6fdfe648ee81c17f3fe8
kernel-debug-devel-2.6.18-164.17.1.el5.ia64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 8a663047cd378c1ff6c481c6c4760302
SHA-256: acb5709a380d48aa850870314053040dd4f1fffe5427a908f6b8a48761c93f34
kernel-devel-2.6.18-164.17.1.el5.ia64.rpm
File outdated by:  RHBA-2011:0956
    MD5: e1de97396cc6ac763eae6fe444cf9fe3
SHA-256: 9f5a8a842c1436fae85f861fae8e201ed266f638b3f5c1790486fb52363de33e
kernel-doc-2.6.18-164.17.1.el5.noarch.rpm
File outdated by:  RHBA-2011:0956
    MD5: acfa29b9f89ecca9066bcab3adc485cd
SHA-256: 3bc623ac2c32dd115cb1f1a3dcbd41518a2bdffbe313804d97f73c9383434508
kernel-headers-2.6.18-164.17.1.el5.ia64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 0ebd084bc9274d18e3c7447f21b11f54
SHA-256: 7f560c629c5d09e489c2b1b0b35918d83e4578a5a0b1608b8944b526b28ed55a
kernel-xen-2.6.18-164.17.1.el5.ia64.rpm
File outdated by:  RHBA-2011:0956
    MD5: d239ec5e036bf8681552d9d357c5af23
SHA-256: 89f9a44c45fe1fcd74c6ac7853978955f1fa02b250c315b254c9049709094fd9
kernel-xen-devel-2.6.18-164.17.1.el5.ia64.rpm
File outdated by:  RHBA-2011:0956
    MD5: bdec514c886b0f3b75ff114e16fc742f
SHA-256: 5b00589228b19b465f0ea902ce37984f093ee207d3b9042f030ab085294c940b
 
PPC:
kernel-2.6.18-164.17.1.el5.ppc64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 553353076b2a959285670a7ec90ca7fe
SHA-256: 5f0881130a1ad22d36e205f3d14475f9fd48539999f227f47d67617cb9b30094
kernel-debug-2.6.18-164.17.1.el5.ppc64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 15bd6edf2c4a5a23633749e5f01a1bdc
SHA-256: c8ee1c62d21b98436a7904d3d024f9d0112e6031f15c714fdee66579d5404bdd
kernel-debug-devel-2.6.18-164.17.1.el5.ppc64.rpm
File outdated by:  RHBA-2011:0956
    MD5: a78e5734df3ef0f8990f0d5f6676af44
SHA-256: cf1a81bba8ae33e2b4429af695950dbde29eac94bc22cca34041c14f3fe83d48
kernel-devel-2.6.18-164.17.1.el5.ppc64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 37c16a9cba9684076468f70f20ff2b7c
SHA-256: 353388328a37c689b1c4f8a73981240326a968ce2d09ff8a282cc8c1ab737446
kernel-doc-2.6.18-164.17.1.el5.noarch.rpm
File outdated by:  RHBA-2011:0956
    MD5: acfa29b9f89ecca9066bcab3adc485cd
SHA-256: 3bc623ac2c32dd115cb1f1a3dcbd41518a2bdffbe313804d97f73c9383434508
kernel-headers-2.6.18-164.17.1.el5.ppc.rpm
File outdated by:  RHBA-2011:0956
    MD5: 79147e7379c3ea306fa6b789d554d0f6
SHA-256: b6a3a594535f0ae2a0e914775c049d2554683109392358e048e70f86f4ad86a0
kernel-headers-2.6.18-164.17.1.el5.ppc64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 6cb4883598d32b67fb8e2af2364ae6a6
SHA-256: 668eb0f63f5b744b8312b8e4abe16830cda3aaab31f2b574b3800d506d6e0ea3
kernel-kdump-2.6.18-164.17.1.el5.ppc64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 81ef1935d8c2ab12c596faf3edfe08de
SHA-256: 53b1e50eea68883f7ac9ffb14bf62b0cea9b5920e7d26361e1607a94a4db719f
kernel-kdump-devel-2.6.18-164.17.1.el5.ppc64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 77c78ad3f5243eec75a0479d8e016e02
SHA-256: f49a4314ac73be25f5a8d96f74926cb7f5cd4cba604d14f6373488abdd110dbf
 
s390x:
kernel-2.6.18-164.17.1.el5.s390x.rpm
File outdated by:  RHBA-2011:0956
    MD5: be19b56ae92d75d546bf6f64f3932aa0
SHA-256: 5255121acc6786ad7dc5bb4e49ee00fc879e4b9851db15ac8cf52b1e1c3757d1
kernel-debug-2.6.18-164.17.1.el5.s390x.rpm
File outdated by:  RHBA-2011:0956
    MD5: d8866eaf76de64f190843c2199063585
SHA-256: a90144e7b862e295bcd3b1405bd636b1edebdc88bd9ab1985cfe6b44f5faab7b
kernel-debug-devel-2.6.18-164.17.1.el5.s390x.rpm
File outdated by:  RHBA-2011:0956
    MD5: de3a17ed42b51def4e6313d80b244fcd
SHA-256: 8f704b3b306ce8ca54a7ffddba56bfdbc3b73906069a50f89ef39535be11b5e4
kernel-devel-2.6.18-164.17.1.el5.s390x.rpm
File outdated by:  RHBA-2011:0956
    MD5: 342464b18b2d11a565ef438062483a92
SHA-256: 1094cdddd8441228850efb2cabc4eb750da397cb522cf3bafe379904de97ce69
kernel-doc-2.6.18-164.17.1.el5.noarch.rpm
File outdated by:  RHBA-2011:0956
    MD5: acfa29b9f89ecca9066bcab3adc485cd
SHA-256: 3bc623ac2c32dd115cb1f1a3dcbd41518a2bdffbe313804d97f73c9383434508
kernel-headers-2.6.18-164.17.1.el5.s390x.rpm
File outdated by:  RHBA-2011:0956
    MD5: b4a4430c5055abe293869bb8bd4beb7a
SHA-256: f8aa09dddda104e0c0e350fb3e23ea084b675571b83759a529e423f91bd1784b
kernel-kdump-2.6.18-164.17.1.el5.s390x.rpm
File outdated by:  RHBA-2011:0956
    MD5: cfa934b6c90819d2c607995df42d6841
SHA-256: afa18a3ad6092b35dcf90190e937d5cd8e31e767aff55109dfb1f502582eba59
kernel-kdump-devel-2.6.18-164.17.1.el5.s390x.rpm
File outdated by:  RHBA-2011:0956
    MD5: 7e497cf249b159e27a2d4420fb1e48a9
SHA-256: 41b4721b96b39e03be536daea1d258ab469e5f56f592ea9f80682e0f1c61cea4
 
x86_64:
kernel-2.6.18-164.17.1.el5.x86_64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 689cea3aca6590d61a51df0bad51db31
SHA-256: 14c2cd8a8e71b8de8289ff79c766eb5277c96e32782caa9306a3be69a719684f
kernel-debug-2.6.18-164.17.1.el5.x86_64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 6e665d7f3eeae6d72e64f2ca7f73899b
SHA-256: 00f93ea92195e408c839a016a196179faed8e003b1dde573b65a33751a7bb157
kernel-debug-devel-2.6.18-164.17.1.el5.x86_64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 62fe819292888c36b10884ce36fdcb70
SHA-256: 1602439f57ec278dbec8e6c615e952fb8641843bc8f050197c2be3e1a6053059
kernel-devel-2.6.18-164.17.1.el5.x86_64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 62039b0f0e72892428441569951f16f3
SHA-256: 513d2c68e72b38ec30d97475c4b5dfa5f589bfacccf398ed2fce70326a8075ca
kernel-doc-2.6.18-164.17.1.el5.noarch.rpm
File outdated by:  RHBA-2011:0956
    MD5: acfa29b9f89ecca9066bcab3adc485cd
SHA-256: 3bc623ac2c32dd115cb1f1a3dcbd41518a2bdffbe313804d97f73c9383434508
kernel-headers-2.6.18-164.17.1.el5.x86_64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 1d3603ae35052002051b4d2faca97fb6
SHA-256: 251665753c6c491a498e28b89f75b7c08a36ef83b9e3cea1dc87e6232bae553d
kernel-xen-2.6.18-164.17.1.el5.x86_64.rpm
File outdated by:  RHBA-2011:0956
    MD5: 10282140b2ceb7892fcd88787ff80e03
SHA-256: b31768e9551a57606eb4d7685082160041d3aa2f21947b11e4e66825f4f00510
kernel-xen-devel-2.6.18-164.17.1.el5.x86_64.rpm
File outdated by:  RHBA-2011:0956
    MD5: bd894cf640a3420575877593d8c54060
SHA-256: dac6bab5a178a2feceb8a8ebb32f506c488baaff1e1211a8cb61283c5d79e2f3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

541149 - CVE-2009-4026 CVE-2009-4027 kernel: mac80211: fix spurious delBA handling
547251 - CVE-2009-4307 kernel: ext4: avoid divide by zero when trying to mount a corrupted file system
569597 - posix_fadvise() handles its arguments incorrectly in 32-bit compat mode. [rhel-5.4.z]
569727 - when booted with P-state limit, limit can never be increased [rhel-5.4.z]
569797 - e1000 & e1000e: Memory corruption/paging error when tx hang occurs [rhel-5.4.z]
570863 - CVE-2010-0727 bug in GFS/GFS2 locking code leads to dos
571362 - [5.4] open(/proc/PID/xxx) fails with EINVAL even though it should be ENOENT. [rhel-5.4.z]
576951 - [Broadcom 5.4.z bug] bnx2x: net device is in XON state while the Tx ring is full [rhel-5.4.z]
577206 - kernel: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr [rhel-5.4.z]
577711 - CVE-2010-1188 kernel: ipv6: skb is unexpectedly freed


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/