Executive Summary
Summary | |
---|---|
Title | Updated kernel packages available for Red Hat Enterprise Linux 4 Update 4 |
Informations | |||
---|---|---|---|
Name | RHSA-2006:0575 | First vendor Publication | 2006-08-10 |
Vendor | RedHat | Last vendor Modification | 2006-08-10 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:C) | |||
---|---|---|---|
Cvss Base Score | 9 | Attack Range | Network |
Cvss Impact Score | 8.5 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the fourth regular update to Red Hat Enterprise Linux 4. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Problem description: New features introduced in this update include: * Device Mapper mirroring support * IDE diskdump support * x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements * Itanium: perfmon support for Montecito * much improved support for IBM x460 * AMD PowerNow! patches to support Opteron Rev G * Vmalloc support > 64MB The following device drivers have been upgraded to new versions: ipmi: 33.11 to 33.13 ib_mthca: 0.06 to 0.08 bnx2: 1.4.30 to 1.4.38 bonding: 2.6.1 to 2.6.3 e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI e1000: 6.1.16-k3-NAPI to 7.0.33-k2-NAPI sky2: 0.13 to 1.1 tg3: 3.43-rh to 3.52-rh ipw2100: 1.1.0 to git-1.1.4 ipw2200: 1.0.0 to git-1.0.10 3w-9xxx: 2.26.02.001 to 2.26.04.010 ips: 7.10.18 to 7.12.02 iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3 lpfc: 0:8.0.16.18 to 0:8.0.16.27 megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1 qla2xxx: 8.01.02-d4 to 8.01.04-d7 qla6312: 8.01.02-d4 to 8.01.04-d7 sata_promise: 1.03 to 1.04 sata_vsc: 1.1 to 1.2 ibmvscsic: 1.5.5 to 1.5.6 ipr: 2.0.11.1 to 2.0.11.2 Added drivers: dcdbas: 5.6.0-2 sata_mv: 0.6 sata_qstor: 0.05 sata_uli: 0.5 skge: 1.1 stex: 2.9.0.13 pdc_adma: 0.03 This update includes fixes for the security issues: * a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) * a flaw in the ACL handling of nfsd that allowed a remote user to bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623, moderate) * a flaw in the netfilter handling that allowed a local user with CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low) * a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that allowed a local user to cause a denial of service (crash) or to retrieve random kernel data (CVE-2006-0456, important) * a flaw in the keyctl functions that allowed a local user to cause a denial of service (crash) or to read sensitive kernel memory (CVE-2006-0457, important) * a flaw in unaligned accesses handling on Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important) * a flaw in SELinux ptrace logic that allowed a local user with ptrace permissions to change the tracer SID to a SID of another process (CVE-2006-1052, moderate) * an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) * a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low) * a minor info leak in socket option handling in the network code (CVE-2006-1343, low) * a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to cause a denial of service (crash) (CVE-2006-1857, moderate) * a flaw in the SCTP implementation that allowed a remote user to cause a denial of service (deadlock) (CVE-2006-2275, moderate) * a flaw in the socket buffer handling that allowed a remote user to cause a denial of service (panic) (CVE-2006-2446, important) * a flaw in the signal handling access checking on PowerPC that allowed a local user to cause a denial of service (crash) or read arbitrary kernel memory on 64-bit systems (CVE-2006-2448, important) * a flaw in the netfilter SCTP module when receiving a chunkless packet that allowed a remote user to cause a denial of service (crash) (CVE-2006-2934, important) There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/): 141342 - install hangs on Dell PowerVault 745 with SATA drives (sata_vsc module) 149933 - fix missing wakeup in ipc/sem 151981 - udevd fails to create /dev files after misc_register 154984 - Sound Blaster Audigy 2 Value audio does not work 155926 - [RHEL4-U2][Diskdump] OS_INIT dump function is broken 156145 - kernel may oops if more than 4k worth of string data returned in /proc/devices 156663 - Can't install from SATA CD/DVD drive 157404 - Loss of SATA ICH device hangs RAID1 157902 - [PATCH] ata_piix fails on some ICH7 hardware 158989 - snd-nm256 module hangs Dell Latitude CSx 165113 - kernel build broken when 4KSTACKS disabled 165245 - EHCI Host driver violates USB2.0 Specification leading to device failures 166541 - mdadm --grow infinite resync 168285 - No (useful) logging of parameters to execve 169260 - CVE-2005-3055 async usb devio oops 169456 - COMM_LOST problem with SCTP stream socket 169600 - SMP kernel crash when use as LVS router 170143 - rm command hangs when removing a symlink on ext2 loop filesystem 170434 - Deadlock in fc_target_unblock while shutting down the system 171304 - sata_promise: missing PCI ID for SATA300 TX4 171645 - Oops kernel NULL pointer 171740 - ipw2100 modules crashes and restarts whenever in use 172199 - Spurious keyboard repeats and clock is fast 172696 - kernel panic after a few hours/days of operation with pulse 173193 - vmalloc limited to 64Mb 173489 - kernel panics when rebooting 173843 - Kernel panic with this comment: <4>VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day... 173895 - Kernel panic on install on 64BG EM64T 174019 - TG3 driver crashes with BCM4704C chipset with heavy traffic 174155 - Documentation mismatch 174470 - RFE: tg3 support for Broadcom 5751 PCIe 174639 - System hangs with kernel panic when using current 3ware drivers 174671 - [PATCH] bonding: don't drop non-VLAN traffic 175616 - [RHEL 4 U2] kernel panic on EM64T with long cmdline args 175763 - misleading overcommit_memory reference in Documentation/filesystems/proc.txt 175778 - Accessing automounted directories can cause a process to hang forever 175854 - [RHEL4-U3] Checking dump partition fails when a swap partition whose size is less than memory size is configured for diskdump. 176107 - sata-nv crashes on multiple SATA disks 176173 - The hash.h hash_long function, when used on a 64 bit machine, ignores many of the middle-order bits. 176361 - io_setup() fails for 32bit tasks in x86-64 176601 - Oprofile unsupported recent Pentium4 176612 - xw6400 System panic while installing RHEL4-U3 177439 - SELinux MLS compatibility 177509 - No i915 DRM module 178084 - Last AIO read of a file opened with O_DIRECT returns wrong length 178720 - O_DIRECT bug when reading last block of sparse file 178845 - RHEL4u4 FEAT: Provide support for Opteron Rev G and Power Now! clean-up 179206 - Please backport the sata_mv Marvell MV88SX5081 driver? 179334 - kernel boot can Oops in work queue code when console blanks 179752 - Request to update lpfc driver in RHEL 4 U4 180028 - deadlocks on ext2,sync mounted fs 180138 - kmir_mon worker thread doesn't exit 180195 - aic7xxx and aic79xx Drivers Don't Support 16-byte CDBs 180568 - typo in spinlock.h? line 407 180621 - ipv6 ready logo-P1 ND Test24 fails- RA Lifetime=5 not understood 180958 - [RHEL4] MCE arg parsing broken on x86-64 181457 - Console redirection on DRAC 3 results in repeated key strokes (P1) 181475 - lpfc driver: add managment ioctl module to kernel tree 181780 - Gettimeofday() timer related slowdown and scaling issue 181793 - add MCP51/ NVidia 430 IDE support 181869 - Error given when duplicate non-updateable key (eg: keyring) added 181870 - Key quota handling incorrect in allocation 181879 - CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace 181881 - CVE-2006-0456 s390/s390x strnlen_user() is broken 182137 - NFS lockd recovery is broken in U3 due to missing code. 182684 - [EMC/Oracle RHEL 4.4] ISCSI MODULE SHOWS MULTIPLE DEVICES FOR A SINGLE LUN IN RHEL 4.0 U2 182726 - Possible hang when ptracing and using hugepages 183392 - [RHEL4] [RFE] Add diskdump capability to IDE 183416 - DoS attack possible via nfsservctl 183463 - CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic 183661 - ramfs: update dir mtime and ctime 183664 - dm: make sure don't give out the same minor number twice 184208 - Large LUNS can't be seen with Hitachi Open- SAN 184254 - PCI interrupts on ioapic pins 0-15 always get "legacy" IRQs. 184535 - [BETA RHEL4 U3] brokenness in cfq_dispatch_requests 184583 - Kernel should export number and state of local APICs 185043 - CVE-2005-3623 ACL setting on read-only fs 185289 - CVE-2006-1052 SELinux flaw 185431 - kernel dm: bad argument count check in dm-log.c 185444 - kernel dm: missing bdput 185445 - kernel dm: fix free_dev del_gendisk 185447 - kernel dm: flush queued bios if suspend is interrupted 185450 - kernel dm: log bitset fix BE find_next_zero_bit 185454 - kernel device-mapper mirroring: table output incorrect 185455 - kernel dm snapshots: replace siblings list 185456 - kernel dm mirroring: suspend operation is not well behaved 185459 - kernel dm snapshots: fix invalidation 185468 - kernel dm: striped access beyond end of device 185754 - [RHEL4 U3] kernel dm mirror: unrelated mirror devices stall if any log device fails 185782 - [RHEL4 U3] device-mapper mirror: Data corruption if the default mirror fails during recovery. 185785 - [RHEL4 U3] device-mapper mirror: Data corruption by temporal errors during recovery. 185991 - kernel dm: bio split bvec fix 186004 - [RHEL4 U3] device-mapper mirror: Write failure region becomes in-sync when suspension. 186057 - CVE-2006-1242 Linux zero IP ID vulnerability? 186066 - Connectathon tests fail against newer Irix server 186071 - NFSD fails SETCLIENTID_CONFIRM 186104 - kernel dm mirror: lvs Copy% overs 100% by lvreduce/lvresize. 186242 - CVE-2006-1343 Small information leak in SO_ORIGINAL_DST 186295 - CVE-2006-0038 netfilters do_replace() overflow 186316 - nvidia cache aliasing problem: change_page_attr drops GLOBAL bit from executable kernel pages 186564 - ACPI 2.0 systems with no XSDT fail to boot 186751 - kernel problem to deal with 3ware 9500SX-12 RAID cards 187249 - [RHEL4 U3] dm-mirror: read stalls if all mirrors failed 187494 - CVE-2006-2275 SCTP traffic probably never resumes 187498 - diskdump_sysfs_store() needs to check sscanf retval 187500 - diskdump_sysfs_store() should check partition number 187501 - device_to_gendisk() is lacking mntput(nd.mnt) on exit 187502 - diskdump - device_to_gendisk() is both racy 187910 - CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs 187951 - Replication failover fails if the NFS permissions are incorrect on one of the servers... 188080 - kernel dm snapshots: Incorrect processing of incorrect chunk size 188141 - Kernel appears too conservative in memory use 188296 - tlb_clear_slave races with tlb_choose_channel 188912 - Update Qlogic qla2xxx driver in RHEL 4 U4 189127 - Trouble with recent module - one packet is seen more than one time 189198 - VLAN not working on initial startup 189279 - [Stratus RHEL4 U4 bug] unchecked error path in usb_alloc_dev can lead to an Oops. 189390 - RHEL4-U3: openipmi: startup race condition 189392 - Submit Promise RHEL4 driver in-box to RHEL4 CD 189393 - Submit Promise RHEL4 driver in-box to RHEL4 CD 189397 - Submit Promise RHEL4 driver in-box to RHEL4 CD 189797 - dm: Fix mapped device references 190576 - REGRESSION: kabi breakage on ia64_mv 191138 - CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic 191139 - installer does not see SATA HDs attached to JMB360 chipset which in legacy mode 191141 - MCE arg parsing broken on x86-64 191723 - device-mapper mirror: Need proper notification of sync status chage on write failure 191847 - REGRESSION: kernel-2.6.9.36 does not boot on ALTIX systems 192098 - Fix problems with MSI-X on 64-bit platforms 192635 - CVE-2006-1857 SCTP HB-ACK chunk overflow 192779 - CVE-2006-2446 LTC20512-kernel BUG in __kfree_skb while running TCP+Kernel stress 193230 - RFE: add pci ids for atiixp 193696 - Not using all available system memory - swapping too aggressive - high load average (iowait) 193728 - A write to a cluster mirror volume not in sync will hang and also cause the sync to hang as well 193838 - gettimeofday goes backwards on IBM x460 merged servers 194215 - CVE-2006-2448 missing access_ok checks in powerpc signal*.c 194533 - veritas storage foundation 32bit apps crash in glibc during post-process installation 195002 - RHEL4 U4 i386 partner beta will not install on ES7000/one 195254 - HP xw9400 network card not getting seen 195502 - Regression: cluster mirror creation cmd hangs even though mirror gets created 196512 - VLANs, tg3 driver, and 2.6.9-34.EL kernel update 196712 - O=/objdir builds fail for out-of-tree builds with 2.6.9-39.4 197387 - CVE-2006-2934 SCTP netfilter DoS with chunkless packets 198321 - kernel freeze at "kernel BUG at kernel/timer.c:420!" 198892 - kernel deadlock on reading /proc/meminfo on 4 CPU's at the same time |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2006-0575.html |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
CAPEC-13 | Subverting Environment Variable Values |
CAPEC-17 | Accessing, Modifying or Executing Executable Files |
CAPEC-39 | Manipulating Opaque Client-based Data Tokens |
CAPEC-45 | Buffer Overflow via Symbolic Links |
CAPEC-51 | Poison Web Service Registry |
CAPEC-59 | Session Credential Falsification through Prediction |
CAPEC-60 | Reusing Session IDs (aka Session Replay) |
CAPEC-76 | Manipulating Input to File System Calls |
CAPEC-77 | Manipulating User-Controlled Variables |
CAPEC-87 | Forceful Browsing |
CAPEC-104 | Cross Zone Scripting |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
17 % | CWE-667 | Insufficient Locking |
17 % | CWE-399 | Resource Management Errors |
17 % | CWE-310 | Cryptographic Issues |
17 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
17 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
17 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10040 | |||
Oval ID: | oval:org.mitre.oval:def:10040 | ||
Title: | Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c). | ||
Description: | Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c). | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-2448 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10102 | |||
Oval ID: | oval:org.mitre.oval:def:10102 | ||
Title: | The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process. | ||
Description: | The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-1052 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10317 | |||
Oval ID: | oval:org.mitre.oval:def:10317 | ||
Title: | The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks. | ||
Description: | The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-1242 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10622 | |||
Oval ID: | oval:org.mitre.oval:def:10622 | ||
Title: | Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk. | ||
Description: | Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-1857 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10742 | |||
Oval ID: | oval:org.mitre.oval:def:10742 | ||
Title: | The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the "noreturn" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems. | ||
Description: | The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the "noreturn" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-0742 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10875 | |||
Oval ID: | oval:org.mitre.oval:def:10875 | ||
Title: | net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory. | ||
Description: | net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-1343 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10932 | |||
Oval ID: | oval:org.mitre.oval:def:10932 | ||
Title: | SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer. | ||
Description: | SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-2934 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10945 | |||
Oval ID: | oval:org.mitre.oval:def:10945 | ||
Title: | Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function. | ||
Description: | Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-0038 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11295 | |||
Oval ID: | oval:org.mitre.oval:def:11295 | ||
Title: | Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer." | ||
Description: | Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer." | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-2275 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11707 | |||
Oval ID: | oval:org.mitre.oval:def:11707 | ||
Title: | nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems. | ||
Description: | nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-3623 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9117 | |||
Oval ID: | oval:org.mitre.oval:def:9117 | ||
Title: | Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite. | ||
Description: | Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-2446 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9472 | |||
Oval ID: | oval:org.mitre.oval:def:9472 | ||
Title: | Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference. | ||
Description: | Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-3055 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9566 | |||
Oval ID: | oval:org.mitre.oval:def:9566 | ||
Title: | Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory. | ||
Description: | Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-0457 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9909 | |||
Oval ID: | oval:org.mitre.oval:def:9909 | ||
Title: | The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors. | ||
Description: | The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-0456 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9995 | |||
Oval ID: | oval:org.mitre.oval:def:9995 | ||
Title: | The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels. | ||
Description: | The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-1056 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for kernel CESA-2010:0610 centos5 i386 File : nvt/gb_CESA-2010_0610_kernel_centos5_i386.nasl |
2010-08-13 | Name : RedHat Update for kernel RHSA-2010:0610-01 File : nvt/gb_RHSA-2010_0610-01_kernel.nasl |
2009-10-10 | Name : SLES9: Security update for Linux kernel File : nvt/sles9p5010939.nasl |
2009-10-10 | Name : SLES9: Security update for Linux kernel File : nvt/sles9p5015723.nasl |
2009-10-10 | Name : SLES9: Security update for Linux kernel File : nvt/sles9p5020521.nasl |
2008-09-04 | Name : FreeBSD Security Advisory (FreeBSD-SA-06:14.fpu.asc) File : nvt/freebsdsa_fpu.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1017-1 (kernel-source-2.6.8) File : nvt/deb_1017_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1097-1 (kernel-source-2.4.27) File : nvt/deb_1097_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1103-1 (kernel-source-2.6.8) File : nvt/deb_1103_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1183-1 (kernel-source-2.4.27) File : nvt/deb_1183_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1184-1 (kernel-source-2.6.8) File : nvt/deb_1184_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1184-2 (kernel-source-2.6.8) File : nvt/deb_1184_2.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
29841 | Linux Kernel net/ipv4/netfilter/ IPv4 Socket Name Return Arbitrary Memory Dis... The Linux kernel contains a flaw that may lead to local memory disclosure. The issue is due to net/ipv4/netfilter/ip_conntrack_core.c, net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c and net/ipv4/af_inet.c not properly clearing the 'sockaddr_in.sin_zero' struct. The resulting 6 byte leak to userspace occurs when returning IPv4 socket names from getsockopt(), getpeername(), accept() and getsockname() functions. This could allow a local attacker to possibly obtain sensitive information. |
28551 | Linux Kernel kfree_skb / __skb_unlink Function Race Condition DoS |
26997 | Linux Kernel on IBM S/390 strnlen_user Function Local DoS |
26963 | Linux Kernel SCTP conntrack Chunkless Packet Remote DoS Linux Kernel contains a flaw that may allow a remote denial of service. The issue is triggered when an error occurs when handling SCTP packets without a chunk, and will result in loss of availability for the platform. |
26946 | Linux Kernel on PowerPC access_ok Check Failure Arbitrary Kernel Memory Discl... |
26615 | Linux Kernel SCTP Receiver Application Small Message Saturation DoS |
25695 | Linux Kernel SCTP HB-ACK Chunk Processing Overflow DoS The Linux kernel contains a flaw that may allow a remote denial of service. The issue is triggered when a crafted HB-ACK chunk packet is sent to the SCTP handling code, which can be found in the '/net/sctp/sm_statefuns.c' file. The kernel then fails to properly validate the length of certain parameters, which might result in access to invalid memory and lead to loss of availability for the platform due to a kernel crash. |
25232 | Linux Kernel SELinux Module Tracer SID Local DoS The Linux Kernel contains a flaw that may allow a local denial of service. The issue is triggered when 'selinux_ptrace' is used to trace a process. The SID that is set while doing so might be replaced later on accessing certain '/proc' files relating to that process, potentially allowing the owner of the original process to enter the other process' domain. This can result in unauthorised access to the target domain, but appears to be more likely to result in a kernel panic and hence in a loss of availability for the platform. |
24807 | Linux Kernel x87 Register Information Disclosure The Linux kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because the Floating Point Units (FPUs) of the affected processor types do not save and restore the FOP, FID and FPD registers when certain instructions are executed. As a result, Linux does not clear these registers either. When a context switch occurs, a user can potentially read these uncleared registers which could disclose floating point information, resulting in a loss of confidentiality. |
24746 | FreeBSD FPU x87 Register Information Disclosure FreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because the Floating Point Units (FPUs) of the affected processor types do not save and restore the FOP, FID and FPD registers when certain instructions are executed. As a result, FreeBSD does not clear these registers either. When a context switch occurs, a user can potentially read these uncleared registers which could disclose floating point information, resulting in a loss of confidentiality. |
24137 | Linux Kernel Crafted Zero IP ID DF Packet Countermeasure Bypass |
24071 | Linux Kernel IPv4 sockaddr_in.sin_zero Local Information Disclosure |
24040 | Linux Kernel Netfilter do_replace() Function Local Overflow |
23894 | Linux Kernel Multiple Function String Length Modification Race Condition Loca... The Linux Kernel contains a flaw that may allow a local denial of service. The issue is triggered when a race condition occurs that allows an attacker to modify an argument of a copy operation after is has been validated, but before it is used. This may present a window of opportunity for an attacker to gain access to sensitive information stored in memory. |
23660 | Linux Kernel die_if_kernel() Function Unspecified Return Issue The Linux kernel contains a flaw that may allow a local denial of service. The issue is triggered because the 'die_if_kernel()' function is labeled with the 'noreturn' attribute. On Intel ia64 systems, this can lead to a kernel panic when user faults are caused, which will result in loss of availability for the platform. |
22179 | Linux Kernel nfs*acl.c Exported NFS readonly ACL Bypass The Linux kernel contains a flaw that may allow a malicious user to perform unauthorised actions. The issue is triggered because attackers can set permissions on exported NFS shares flagged as 'read-only'. This flaw may result in a loss of integrity. |
19702 | Linux Kernel USB Malformed URB Local DoS |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | kernel SCTP chunkless packet denial of service attempt RuleID : 7021 - Revision : 9 - Type : OS-LINUX |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-06-12 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0068.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-0446-1.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2013-0043.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2013-0042.nasl - Type : ACT_GATHER_INFO |
2013-03-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-219-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-346-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-331-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-311-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-302-1.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-572.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-573.nasl - Type : ACT_GATHER_INFO |
2006-12-16 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-151.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1017.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1097.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1103.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1183.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1184.nasl - Type : ACT_GATHER_INFO |
2006-08-30 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2006-0575.nasl - Type : ACT_GATHER_INFO |
2006-08-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0575.nasl - Type : ACT_GATHER_INFO |
2006-08-04 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2006-0437.nasl - Type : ACT_GATHER_INFO |
2006-07-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0437.nasl - Type : ACT_GATHER_INFO |
2006-07-18 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-123.nasl - Type : ACT_GATHER_INFO |
2006-07-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0579.nasl - Type : ACT_GATHER_INFO |
2006-05-19 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-086.nasl - Type : ACT_GATHER_INFO |
2006-05-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-281-1.nasl - Type : ACT_GATHER_INFO |
2006-05-09 | Name : It is possible to crash the remote host by sending it a malformed SCTP packet. File : linux_sctp_chunk_header_dos.nasl - Type : ACT_KILL_HOST |
2006-04-21 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-423.nasl - Type : ACT_GATHER_INFO |
2006-04-21 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-421.nasl - Type : ACT_GATHER_INFO |
2006-03-23 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-059.nasl - Type : ACT_GATHER_INFO |
2006-03-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-263-1.nasl - Type : ACT_GATHER_INFO |
2006-02-10 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2006_006.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-219.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-235.nasl - Type : ACT_GATHER_INFO |
2005-12-08 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2005_067.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:50:06 |
|