[ MDKSA-2007:196 ] - Updated kernel packages fix multiple- vulnerabilities and bugs

From: security@mandriva.com
To: bugtraq@securityfocus.com
Subject: [ MDKSA-2007:196 ] - Updated kernel packages fix multiple- vulnerabilities and bugs

Hash: SHA1

 Mandriva Linux Security Advisory                         MDKSA-2007:196
 Package : kernel
 Date    : October 15, 2007
 Affected: Corporate 4.0
 Problem Description:
 Some vulnerabilities were discovered and corrected in the Linux
 2.6 kernel:
 The compat_sys_mount function in fs/compat.c allowed local users
 to cause a denial of service (NULL pointer dereference and oops)
 by mounting a smbfs file system in compatibility mode (CVE-2006-7203).
 The nf_conntrack function in netfilter did not set nfctinfo during
 reassembly of fragmented packets, which left the default value as
 IP_CT_ESTABLISHED and could allow remote attackers to bypass certain
 rulesets using IPv6 fragments (CVE-2007-1497).
 A typo in the Linux kernel caused RTA_MAX to be used as an array size
 instead of RTN_MAX, which lead to an out of bounds access by certain
 functions (CVE-2007-2172).
 The IPv6 protocol allowed remote attackers to cause a denial of
 service via crafted IPv6 type 0 route headers that create network
 amplification between two routers (CVE-2007-2242).
 The random number feature did not properly seed pools when there was
 no entropy, or used an incorrect cast when extracting entropy, which
 could cause the random number generator to provide the same values
 after reboots on systems without an entropy source (CVE-2007-2453).
 A memory leak in the PPPoE socket implementation allowed local users
 to cause a denial of service (memory consumption) by creating a
 socket using connect, and releasing it before the PPPIOCGCHAN ioctl
 is initialized (CVE-2007-2525).
 An integer underflow in the cpuset_tasks_read function, when the cpuset
 filesystem is mounted, allowed local users to obtain kernel memory
 contents by using a large offset when reading the /dev/cpuset/tasks
 file (CVE-2007-2875).
 The sctp_new function in netfilter allowed remote attackers to cause
 a denial of service by causing certain invalid states that triggered
 a NULL pointer dereference (CVE-2007-2876).
 A stack-based buffer overflow in the random number generator could
 allow local root users to cause a denial of service or gain privileges
 by setting the default wakeup threshold to a value greater than the
 output pool size (CVE-2007-3105).
 The lcd_write function did not limit the amount of memory used by
 a caller, which allows local users to cause a denial of service
 (memory consumption) (CVE-2007-3513).
 The Linux kernel allowed local users to send arbitrary signals
 to a child process that is running at higher privileges by
 causing a setuid-root parent process to die which delivered an
 attacker-controlled parent process death signal (PR_SET_PDEATHSIG)
 The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer
 ioctl patch in aacraid did not check permissions for ioctls, which
 might allow local users to cause a denial of service or gain privileges
 The IA32 system call emulation functionality, when running on the
 x86_64 architecture, did not zero extend the eax register after the
 32bit entry path to ptrace is used, which could allow local users to
 gain privileges by triggering an out-of-bounds access to the system
 call table using the %RAX register (CVE-2007-4573).
 In addition to these security fixes, other fixes have been included
 such as:
   - The 3w-9xxx module was updated to version, adding support
   for 9650SE
   - Fixed the build of e1000-ng
   - Added NIC support for MCP55
   - Added LSI Logic MegaRAID SAS 8300XLP support
 To update your kernel, please follow the directions located at:

 Updated Packages:
 Corporate 4.0:
 3657c208eeb3c079d9ff0a4ca55a9b03  corporate/4.0/i586/kernel-
 0cd8fd1c504f3365fe503c4fd627b6ea  corporate/4.0/i586/kernel-BOOT-
 fbabe3497810452a0052bc67a5fb4f29  corporate/4.0/i586/kernel-doc-
 02edfc1bbb2bd826c4a9152d670cc2cc  corporate/4.0/i586/kernel-i586-up-1GB-
 88b0876de92beff866bb91ba57be0a70  corporate/4.0/i586/kernel-i686-up-4GB-
 e813926dc184e911deb62a1e34cff8ed  corporate/4.0/i586/kernel-smp-
 a8011ebbe529551463f87cc22f3da22f  corporate/4.0/i586/kernel-source-
 813ba955a1e9b5ff9834aeebbe477a93  corporate/4.0/i586/kernel-source-stripped-
 be08ad30fbc3988f654c1532e73fc330  corporate/4.0/i586/kernel-xbox-
 5894ac0216cf38203d2002a19db70c15  corporate/4.0/i586/kernel-xen0-
 62d5b93083df571edbf8785bc754dd6e  corporate/4.0/i586/kernel-xenU- 
 423fe3296a56ff845fd643890663cdee  corporate/4.0/SRPMS/kernel-

 Corporate 4.0/X86_64:
 a51bd78ce00e65f7521625c8c67605f0  corporate/4.0/x86_64/kernel-
 8d407ed81be714537c2c957918cedfed  corporate/4.0/x86_64/kernel-BOOT-
 730c0bae9b443e5f9d8cb3c8a3486488  corporate/4.0/x86_64/kernel-doc-
 06391bd475945e8a8b76dcb33989fc83  corporate/4.0/x86_64/kernel-smp-
 bc9c9a881f18b5c2f892684aaeee84cf  corporate/4.0/x86_64/kernel-source-
 b0240b751985babe1aabda9c9e231a92  corporate/4.0/x86_64/kernel-source-stripped-
 b1b4750de7daf9cb12ed0057a8851f32  corporate/4.0/x86_64/kernel-xen0-
 915a8eb87a9fc0c0deab5e696f27c59b  corporate/4.0/x86_64/kernel-xenU- 
 423fe3296a56ff845fd643890663cdee  corporate/4.0/SRPMS/kernel-

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:


 If you want to report vulnerabilities, please contact


 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.7 (GNU/Linux)


Copyright © 1995-2018 LinuxRocket.net. All rights reserved.