Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Updated kernel packages available for Red Hat Enterprise Linux 4 Update 4
Informations
Name RHSA-2006:0575 First vendor Publication 2006-08-10
Vendor RedHat Last vendor Modification 2006-08-10
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 8.5 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

This is the fourth regular update to Red Hat Enterprise Linux 4.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64

3. Problem description:

New features introduced in this update include:

* Device Mapper mirroring support

* IDE diskdump support

* x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements

* Itanium: perfmon support for Montecito

* much improved support for IBM x460

* AMD PowerNow! patches to support Opteron Rev G

* Vmalloc support > 64MB

The following device drivers have been upgraded to new versions:

ipmi: 33.11 to 33.13 ib_mthca: 0.06 to 0.08 bnx2: 1.4.30 to 1.4.38 bonding: 2.6.1 to 2.6.3 e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI e1000: 6.1.16-k3-NAPI to 7.0.33-k2-NAPI sky2: 0.13 to 1.1 tg3: 3.43-rh to 3.52-rh ipw2100: 1.1.0 to git-1.1.4 ipw2200: 1.0.0 to git-1.0.10 3w-9xxx: 2.26.02.001 to 2.26.04.010 ips: 7.10.18 to 7.12.02 iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3 lpfc: 0:8.0.16.18 to 0:8.0.16.27 megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1 qla2xxx: 8.01.02-d4 to 8.01.04-d7 qla6312: 8.01.02-d4 to 8.01.04-d7 sata_promise: 1.03 to 1.04 sata_vsc: 1.1 to 1.2 ibmvscsic: 1.5.5 to 1.5.6 ipr: 2.0.11.1 to 2.0.11.2

Added drivers:

dcdbas: 5.6.0-2 sata_mv: 0.6 sata_qstor: 0.05 sata_uli: 0.5 skge: 1.1 stex: 2.9.0.13 pdc_adma: 0.03

This update includes fixes for the security issues:

* a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate)

* a flaw in the ACL handling of nfsd that allowed a remote user to bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623, moderate)

* a flaw in the netfilter handling that allowed a local user with CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low)

* a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that allowed a local user to cause a denial of service (crash) or to retrieve random kernel data (CVE-2006-0456, important)

* a flaw in the keyctl functions that allowed a local user to cause a denial of service (crash) or to read sensitive kernel memory (CVE-2006-0457, important)

* a flaw in unaligned accesses handling on Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important)

* a flaw in SELinux ptrace logic that allowed a local user with ptrace permissions to change the tracer SID to a SID of another process (CVE-2006-1052, moderate)

* an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important)

* a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low)

* a minor info leak in socket option handling in the network code (CVE-2006-1343, low)

* a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to cause a denial of service (crash) (CVE-2006-1857, moderate)

* a flaw in the SCTP implementation that allowed a remote user to cause a denial of service (deadlock) (CVE-2006-2275, moderate)

* a flaw in the socket buffer handling that allowed a remote user to cause a denial of service (panic) (CVE-2006-2446, important)

* a flaw in the signal handling access checking on PowerPC that allowed a local user to cause a denial of service (crash) or read arbitrary kernel memory on 64-bit systems (CVE-2006-2448, important)

* a flaw in the netfilter SCTP module when receiving a chunkless packet that allowed a remote user to cause a denial of service (crash) (CVE-2006-2934, important)

There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

141342 - install hangs on Dell PowerVault 745 with SATA drives (sata_vsc module) 149933 - fix missing wakeup in ipc/sem 151981 - udevd fails to create /dev files after misc_register 154984 - Sound Blaster Audigy 2 Value audio does not work 155926 - [RHEL4-U2][Diskdump] OS_INIT dump function is broken 156145 - kernel may oops if more than 4k worth of string data returned in /proc/devices 156663 - Can't install from SATA CD/DVD drive 157404 - Loss of SATA ICH device hangs RAID1 157902 - [PATCH] ata_piix fails on some ICH7 hardware 158989 - snd-nm256 module hangs Dell Latitude CSx 165113 - kernel build broken when 4KSTACKS disabled 165245 - EHCI Host driver violates USB2.0 Specification leading to device failures 166541 - mdadm --grow infinite resync 168285 - No (useful) logging of parameters to execve 169260 - CVE-2005-3055 async usb devio oops 169456 - COMM_LOST problem with SCTP stream socket 169600 - SMP kernel crash when use as LVS router 170143 - rm command hangs when removing a symlink on ext2 loop filesystem 170434 - Deadlock in fc_target_unblock while shutting down the system 171304 - sata_promise: missing PCI ID for SATA300 TX4 171645 - Oops kernel NULL pointer 171740 - ipw2100 modules crashes and restarts whenever in use 172199 - Spurious keyboard repeats and clock is fast 172696 - kernel panic after a few hours/days of operation with pulse 173193 - vmalloc limited to 64Mb 173489 - kernel panics when rebooting 173843 - Kernel panic with this comment: <4>VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day... 173895 - Kernel panic on install on 64BG EM64T 174019 - TG3 driver crashes with BCM4704C chipset with heavy traffic 174155 - Documentation mismatch 174470 - RFE: tg3 support for Broadcom 5751 PCIe 174639 - System hangs with kernel panic when using current 3ware drivers 174671 - [PATCH] bonding: don't drop non-VLAN traffic 175616 - [RHEL 4 U2] kernel panic on EM64T with long cmdline args 175763 - misleading overcommit_memory reference in Documentation/filesystems/proc.txt 175778 - Accessing automounted directories can cause a process to hang forever 175854 - [RHEL4-U3] Checking dump partition fails when a swap partition whose size is less than memory size is configured for diskdump. 176107 - sata-nv crashes on multiple SATA disks 176173 - The hash.h hash_long function, when used on a 64 bit machine, ignores many of the middle-order bits. 176361 - io_setup() fails for 32bit tasks in x86-64 176601 - Oprofile unsupported recent Pentium4 176612 - xw6400 System panic while installing RHEL4-U3 177439 - SELinux MLS compatibility 177509 - No i915 DRM module 178084 - Last AIO read of a file opened with O_DIRECT returns wrong length 178720 - O_DIRECT bug when reading last block of sparse file 178845 - RHEL4u4 FEAT: Provide support for Opteron Rev G and Power Now! clean-up 179206 - Please backport the sata_mv Marvell MV88SX5081 driver? 179334 - kernel boot can Oops in work queue code when console blanks 179752 - Request to update lpfc driver in RHEL 4 U4 180028 - deadlocks on ext2,sync mounted fs 180138 - kmir_mon worker thread doesn't exit 180195 - aic7xxx and aic79xx Drivers Don't Support 16-byte CDBs 180568 - typo in spinlock.h? line 407 180621 - ipv6 ready logo-P1 ND Test24 fails- RA Lifetime=5 not understood 180958 - [RHEL4] MCE arg parsing broken on x86-64 181457 - Console redirection on DRAC 3 results in repeated key strokes (P1) 181475 - lpfc driver: add managment ioctl module to kernel tree 181780 - Gettimeofday() timer related slowdown and scaling issue 181793 - add MCP51/ NVidia 430 IDE support 181869 - Error given when duplicate non-updateable key (eg: keyring) added 181870 - Key quota handling incorrect in allocation 181879 - CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace 181881 - CVE-2006-0456 s390/s390x strnlen_user() is broken 182137 - NFS lockd recovery is broken in U3 due to missing code. 182684 - [EMC/Oracle RHEL 4.4] ISCSI MODULE SHOWS MULTIPLE DEVICES FOR A SINGLE LUN IN RHEL 4.0 U2 182726 - Possible hang when ptracing and using hugepages 183392 - [RHEL4] [RFE] Add diskdump capability to IDE 183416 - DoS attack possible via nfsservctl 183463 - CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic 183661 - ramfs: update dir mtime and ctime 183664 - dm: make sure don't give out the same minor number twice 184208 - Large LUNS can't be seen with Hitachi Open- SAN 184254 - PCI interrupts on ioapic pins 0-15 always get "legacy" IRQs. 184535 - [BETA RHEL4 U3] brokenness in cfq_dispatch_requests 184583 - Kernel should export number and state of local APICs 185043 - CVE-2005-3623 ACL setting on read-only fs 185289 - CVE-2006-1052 SELinux flaw 185431 - kernel dm: bad argument count check in dm-log.c 185444 - kernel dm: missing bdput 185445 - kernel dm: fix free_dev del_gendisk 185447 - kernel dm: flush queued bios if suspend is interrupted 185450 - kernel dm: log bitset fix BE find_next_zero_bit 185454 - kernel device-mapper mirroring: table output incorrect 185455 - kernel dm snapshots: replace siblings list 185456 - kernel dm mirroring: suspend operation is not well behaved 185459 - kernel dm snapshots: fix invalidation 185468 - kernel dm: striped access beyond end of device 185754 - [RHEL4 U3] kernel dm mirror: unrelated mirror devices stall if any log device fails 185782 - [RHEL4 U3] device-mapper mirror: Data corruption if the default mirror fails during recovery. 185785 - [RHEL4 U3] device-mapper mirror: Data corruption by temporal errors during recovery. 185991 - kernel dm: bio split bvec fix 186004 - [RHEL4 U3] device-mapper mirror: Write failure region becomes in-sync when suspension. 186057 - CVE-2006-1242 Linux zero IP ID vulnerability? 186066 - Connectathon tests fail against newer Irix server 186071 - NFSD fails SETCLIENTID_CONFIRM 186104 - kernel dm mirror: lvs Copy% overs 100% by lvreduce/lvresize. 186242 - CVE-2006-1343 Small information leak in SO_ORIGINAL_DST 186295 - CVE-2006-0038 netfilters do_replace() overflow 186316 - nvidia cache aliasing problem: change_page_attr drops GLOBAL bit from executable kernel pages 186564 - ACPI 2.0 systems with no XSDT fail to boot 186751 - kernel problem to deal with 3ware 9500SX-12 RAID cards 187249 - [RHEL4 U3] dm-mirror: read stalls if all mirrors failed 187494 - CVE-2006-2275 SCTP traffic probably never resumes 187498 - diskdump_sysfs_store() needs to check sscanf retval 187500 - diskdump_sysfs_store() should check partition number 187501 - device_to_gendisk() is lacking mntput(nd.mnt) on exit 187502 - diskdump - device_to_gendisk() is both racy 187910 - CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs 187951 - Replication failover fails if the NFS permissions are incorrect on one of the servers... 188080 - kernel dm snapshots: Incorrect processing of incorrect chunk size 188141 - Kernel appears too conservative in memory use 188296 - tlb_clear_slave races with tlb_choose_channel 188912 - Update Qlogic qla2xxx driver in RHEL 4 U4 189127 - Trouble with recent module - one packet is seen more than one time 189198 - VLAN not working on initial startup 189279 - [Stratus RHEL4 U4 bug] unchecked error path in usb_alloc_dev can lead to an Oops. 189390 - RHEL4-U3: openipmi: startup race condition 189392 - Submit Promise RHEL4 driver in-box to RHEL4 CD 189393 - Submit Promise RHEL4 driver in-box to RHEL4 CD 189397 - Submit Promise RHEL4 driver in-box to RHEL4 CD 189797 - dm: Fix mapped device references 190576 - REGRESSION: kabi breakage on ia64_mv 191138 - CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic 191139 - installer does not see SATA HDs attached to JMB360 chipset which in legacy mode 191141 - MCE arg parsing broken on x86-64 191723 - device-mapper mirror: Need proper notification of sync status chage on write failure 191847 - REGRESSION: kernel-2.6.9.36 does not boot on ALTIX systems 192098 - Fix problems with MSI-X on 64-bit platforms 192635 - CVE-2006-1857 SCTP HB-ACK chunk overflow 192779 - CVE-2006-2446 LTC20512-kernel BUG in __kfree_skb while running TCP+Kernel stress 193230 - RFE: add pci ids for atiixp 193696 - Not using all available system memory - swapping too aggressive - high load average (iowait) 193728 - A write to a cluster mirror volume not in sync will hang and also cause the sync to hang as well 193838 - gettimeofday goes backwards on IBM x460 merged servers 194215 - CVE-2006-2448 missing access_ok checks in powerpc signal*.c 194533 - veritas storage foundation 32bit apps crash in glibc during post-process installation 195002 - RHEL4 U4 i386 partner beta will not install on ES7000/one 195254 - HP xw9400 network card not getting seen 195502 - Regression: cluster mirror creation cmd hangs even though mirror gets created 196512 - VLANs, tg3 driver, and 2.6.9-34.EL kernel update 196712 - O=/objdir builds fail for out-of-tree builds with 2.6.9-39.4 197387 - CVE-2006-2934 SCTP netfilter DoS with chunkless packets 198321 - kernel freeze at "kernel BUG at kernel/timer.c:420!" 198892 - kernel deadlock on reading /proc/meminfo on 4 CPU's at the same time

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2006-0575.html

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-13 Subverting Environment Variable Values
CAPEC-17 Accessing, Modifying or Executing Executable Files
CAPEC-39 Manipulating Opaque Client-based Data Tokens
CAPEC-45 Buffer Overflow via Symbolic Links
CAPEC-51 Poison Web Service Registry
CAPEC-59 Session Credential Falsification through Prediction
CAPEC-60 Reusing Session IDs (aka Session Replay)
CAPEC-76 Manipulating Input to File System Calls
CAPEC-77 Manipulating User-Controlled Variables
CAPEC-87 Forceful Browsing
CAPEC-104 Cross Zone Scripting

CWE : Common Weakness Enumeration

% Id Name
17 % CWE-667 Insufficient Locking
17 % CWE-399 Resource Management Errors
17 % CWE-310 Cryptographic Issues
17 % CWE-189 Numeric Errors (CWE/SANS Top 25)
17 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
17 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10040
 
Oval ID: oval:org.mitre.oval:def:10040
Title: Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c).
Description: Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c).
Family: unix Class: vulnerability
Reference(s): CVE-2006-2448
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10102
 
Oval ID: oval:org.mitre.oval:def:10102
Title: The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process.
Description: The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process.
Family: unix Class: vulnerability
Reference(s): CVE-2006-1052
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10317
 
Oval ID: oval:org.mitre.oval:def:10317
Title: The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks.
Description: The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks.
Family: unix Class: vulnerability
Reference(s): CVE-2006-1242
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10622
 
Oval ID: oval:org.mitre.oval:def:10622
Title: Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk.
Description: Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk.
Family: unix Class: vulnerability
Reference(s): CVE-2006-1857
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10742
 
Oval ID: oval:org.mitre.oval:def:10742
Title: The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the "noreturn" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems.
Description: The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the "noreturn" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems.
Family: unix Class: vulnerability
Reference(s): CVE-2006-0742
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10875
 
Oval ID: oval:org.mitre.oval:def:10875
Title: net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory.
Description: net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory.
Family: unix Class: vulnerability
Reference(s): CVE-2006-1343
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10932
 
Oval ID: oval:org.mitre.oval:def:10932
Title: SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer.
Description: SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer.
Family: unix Class: vulnerability
Reference(s): CVE-2006-2934
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10945
 
Oval ID: oval:org.mitre.oval:def:10945
Title: Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function.
Description: Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function.
Family: unix Class: vulnerability
Reference(s): CVE-2006-0038
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11295
 
Oval ID: oval:org.mitre.oval:def:11295
Title: Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
Description: Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
Family: unix Class: vulnerability
Reference(s): CVE-2006-2275
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11707
 
Oval ID: oval:org.mitre.oval:def:11707
Title: nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems.
Description: nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems.
Family: unix Class: vulnerability
Reference(s): CVE-2005-3623
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9117
 
Oval ID: oval:org.mitre.oval:def:9117
Title: Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite.
Description: Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite.
Family: unix Class: vulnerability
Reference(s): CVE-2006-2446
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9472
 
Oval ID: oval:org.mitre.oval:def:9472
Title: Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.
Description: Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.
Family: unix Class: vulnerability
Reference(s): CVE-2005-3055
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9566
 
Oval ID: oval:org.mitre.oval:def:9566
Title: Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory.
Description: Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory.
Family: unix Class: vulnerability
Reference(s): CVE-2006-0457
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9909
 
Oval ID: oval:org.mitre.oval:def:9909
Title: The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors.
Description: The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors.
Family: unix Class: vulnerability
Reference(s): CVE-2006-0456
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9995
 
Oval ID: oval:org.mitre.oval:def:9995
Title: The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels.
Description: The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels.
Family: unix Class: vulnerability
Reference(s): CVE-2006-1056
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 2
Os 3
Os 1
Os 1
Os 735

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for kernel CESA-2010:0610 centos5 i386
File : nvt/gb_CESA-2010_0610_kernel_centos5_i386.nasl
2010-08-13 Name : RedHat Update for kernel RHSA-2010:0610-01
File : nvt/gb_RHSA-2010_0610-01_kernel.nasl
2009-10-10 Name : SLES9: Security update for Linux kernel
File : nvt/sles9p5010939.nasl
2009-10-10 Name : SLES9: Security update for Linux kernel
File : nvt/sles9p5015723.nasl
2009-10-10 Name : SLES9: Security update for Linux kernel
File : nvt/sles9p5020521.nasl
2008-09-04 Name : FreeBSD Security Advisory (FreeBSD-SA-06:14.fpu.asc)
File : nvt/freebsdsa_fpu.nasl
2008-01-17 Name : Debian Security Advisory DSA 1017-1 (kernel-source-2.6.8)
File : nvt/deb_1017_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1097-1 (kernel-source-2.4.27)
File : nvt/deb_1097_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1103-1 (kernel-source-2.6.8)
File : nvt/deb_1103_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1183-1 (kernel-source-2.4.27)
File : nvt/deb_1183_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1184-1 (kernel-source-2.6.8)
File : nvt/deb_1184_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1184-2 (kernel-source-2.6.8)
File : nvt/deb_1184_2.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
29841 Linux Kernel net/ipv4/netfilter/ IPv4 Socket Name Return Arbitrary Memory Dis...

The Linux kernel contains a flaw that may lead to local memory disclosure. The issue is due to net/ipv4/netfilter/ip_conntrack_core.c, net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c and net/ipv4/af_inet.c not properly clearing the 'sockaddr_in.sin_zero' struct. The resulting 6 byte leak to userspace occurs when returning IPv4 socket names from getsockopt(), getpeername(), accept() and getsockname() functions. This could allow a local attacker to possibly obtain sensitive information.
28551 Linux Kernel kfree_skb / __skb_unlink Function Race Condition DoS

26997 Linux Kernel on IBM S/390 strnlen_user Function Local DoS

26963 Linux Kernel SCTP conntrack Chunkless Packet Remote DoS

Linux Kernel contains a flaw that may allow a remote denial of service. The issue is triggered when an error occurs when handling SCTP packets without a chunk, and will result in loss of availability for the platform.
26946 Linux Kernel on PowerPC access_ok Check Failure Arbitrary Kernel Memory Discl...

26615 Linux Kernel SCTP Receiver Application Small Message Saturation DoS

25695 Linux Kernel SCTP HB-ACK Chunk Processing Overflow DoS

The Linux kernel contains a flaw that may allow a remote denial of service. The issue is triggered when a crafted HB-ACK chunk packet is sent to the SCTP handling code, which can be found in the '/net/sctp/sm_statefuns.c' file. The kernel then fails to properly validate the length of certain parameters, which might result in access to invalid memory and lead to loss of availability for the platform due to a kernel crash.
25232 Linux Kernel SELinux Module Tracer SID Local DoS

The Linux Kernel contains a flaw that may allow a local denial of service. The issue is triggered when 'selinux_ptrace' is used to trace a process. The SID that is set while doing so might be replaced later on accessing certain '/proc' files relating to that process, potentially allowing the owner of the original process to enter the other process' domain. This can result in unauthorised access to the target domain, but appears to be more likely to result in a kernel panic and hence in a loss of availability for the platform.
24807 Linux Kernel x87 Register Information Disclosure

The Linux kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because the Floating Point Units (FPUs) of the affected processor types do not save and restore the FOP, FID and FPD registers when certain instructions are executed. As a result, Linux does not clear these registers either. When a context switch occurs, a user can potentially read these uncleared registers which could disclose floating point information, resulting in a loss of confidentiality.
24746 FreeBSD FPU x87 Register Information Disclosure

FreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because the Floating Point Units (FPUs) of the affected processor types do not save and restore the FOP, FID and FPD registers when certain instructions are executed. As a result, FreeBSD does not clear these registers either. When a context switch occurs, a user can potentially read these uncleared registers which could disclose floating point information, resulting in a loss of confidentiality.
24137 Linux Kernel Crafted Zero IP ID DF Packet Countermeasure Bypass

24071 Linux Kernel IPv4 sockaddr_in.sin_zero Local Information Disclosure

24040 Linux Kernel Netfilter do_replace() Function Local Overflow

23894 Linux Kernel Multiple Function String Length Modification Race Condition Loca...

The Linux Kernel contains a flaw that may allow a local denial of service. The issue is triggered when a race condition occurs that allows an attacker to modify an argument of a copy operation after is has been validated, but before it is used. This may present a window of opportunity for an attacker to gain access to sensitive information stored in memory.
23660 Linux Kernel die_if_kernel() Function Unspecified Return Issue

The Linux kernel contains a flaw that may allow a local denial of service. The issue is triggered because the 'die_if_kernel()' function is labeled with the 'noreturn' attribute. On Intel ia64 systems, this can lead to a kernel panic when user faults are caused, which will result in loss of availability for the platform.
22179 Linux Kernel nfs*acl.c Exported NFS readonly ACL Bypass

The Linux kernel contains a flaw that may allow a malicious user to perform unauthorised actions. The issue is triggered because attackers can set permissions on exported NFS shares flagged as 'read-only'. This flaw may result in a loss of integrity.
19702 Linux Kernel USB Malformed URB Local DoS

Snort® IPS/IDS

Date Description
2014-01-10 kernel SCTP chunkless packet denial of service attempt
RuleID : 7021 - Revision : 9 - Type : OS-LINUX

Nessus® Vulnerability Scanner

Date Description
2015-06-12 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2015-0068.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0446-1.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2013-0043.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2013-0042.nasl - Type : ACT_GATHER_INFO
2013-03-09 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-219-1.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-346-1.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-331-1.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-311-1.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-302-1.nasl - Type : ACT_GATHER_INFO
2007-01-17 Name : The remote Fedora Core host is missing a security update.
File : fedora_2006-572.nasl - Type : ACT_GATHER_INFO
2007-01-17 Name : The remote Fedora Core host is missing a security update.
File : fedora_2006-573.nasl - Type : ACT_GATHER_INFO
2006-12-16 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2006-151.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1017.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1097.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1103.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1183.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1184.nasl - Type : ACT_GATHER_INFO
2006-08-30 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2006-0575.nasl - Type : ACT_GATHER_INFO
2006-08-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2006-0575.nasl - Type : ACT_GATHER_INFO
2006-08-04 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2006-0437.nasl - Type : ACT_GATHER_INFO
2006-07-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2006-0437.nasl - Type : ACT_GATHER_INFO
2006-07-18 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2006-123.nasl - Type : ACT_GATHER_INFO
2006-07-17 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2006-0579.nasl - Type : ACT_GATHER_INFO
2006-05-19 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2006-086.nasl - Type : ACT_GATHER_INFO
2006-05-13 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-281-1.nasl - Type : ACT_GATHER_INFO
2006-05-09 Name : It is possible to crash the remote host by sending it a malformed SCTP packet.
File : linux_sctp_chunk_header_dos.nasl - Type : ACT_KILL_HOST
2006-04-21 Name : The remote Fedora Core host is missing a security update.
File : fedora_2006-423.nasl - Type : ACT_GATHER_INFO
2006-04-21 Name : The remote Fedora Core host is missing a security update.
File : fedora_2006-421.nasl - Type : ACT_GATHER_INFO
2006-03-23 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2006-059.nasl - Type : ACT_GATHER_INFO
2006-03-13 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-263-1.nasl - Type : ACT_GATHER_INFO
2006-02-10 Name : The remote host is missing a vendor-supplied security patch
File : suse_SA_2006_006.nasl - Type : ACT_GATHER_INFO
2006-01-15 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-219.nasl - Type : ACT_GATHER_INFO
2006-01-15 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-235.nasl - Type : ACT_GATHER_INFO
2005-12-08 Name : The remote host is missing a vendor-supplied security patch
File : suse_SA_2005_067.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:50:06
  • Multiple Updates