[UCI-Linux] [SECURITY] Fedora Core 2 Update: kernel-2.6.9-1.11_FC2

Mike Iglesias IGLESIAS at uci.edu
Tue Jan 4 07:54:40 PST 2005

From: Dave Jones <davej at redhat.com>
To: fedora-announce-list at redhat.com
Date: Mon, 3 Jan 2005 23:27:03 -0500
Subject: [SECURITY] Fedora Core 2 Update: kernel-2.6.9-1.11_FC2

Fedora Update Notification

Product     : Fedora Core 2
Name        : kernel
Version     : 2.6.9                      
Release     : 1.11_FC2                  
Summary     : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system.  The kernel handles the basic functions
of the operating system:  memory allocation, process allocation, device
input and output, etc.

A large change over previous kernels has been made. The 4G:4G memory
split patch has been dropped, and Fedora kernels now revert back to
the upstream 3G:1G kernel/userspace split.

A number of security fixes are present in this update.

  Paul Starzetz discovered a buffer overflow vulnerability in the "__scm_send"
  function which handles the sending of UDP network packets. A wrong validity
  check of the cmsghdr structure allowed a local attacker to modify kernel
  memory, thus causing an endless loop (Denial of Service) or possibly even
  root privilege escalation.

  Alan Cox reported two potential buffer overflows with the io_edgeport driver.

  A race condition was discovered in the handling of AF_UNIX network packets.
  This reportedly allowed local users to modify arbitrary kernel memory,
  facilitating privilege escalation, or possibly allowing code execution in the
  context of the kernel.

  Paul Starzetz discovered several flaws in the IGMP handling code. This
  allowed users to provoke a Denial of Service, read kernel memory, and execute
  arbitrary code with root privileges. This flaw is also exploitable remotely
  if an application has bound a multicast socket.

  Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall()
  and sys32_vm86_warning() functions. This could possibly be exploited to
  overwrite kernel memory with attacker-supplied code and cause root privilege

- Fix memory leak in ip_conntrack_ftp (local DoS)
- Do not leak IP options. (local DoS)
- fix missing security_*() check in net/compat.c
- ia64/x86_64/s390 overlapping vma fix
- Fix bugs with SOCK_SEQPACKET AF_UNIX sockets
- Make sure VC resizing fits in s16.
  Georgi Guninski reported a buffer overflow with vc_resize().
- Clear ebp on sysenter return.
  A small information leak was found by Brad Spengler.


* Sat Jan 01 2005 Dave Jones <davej at redhat.com>
- Fix probing of vesafb. (#125890)
- Enable PCILynx driver. (#142173)

* Fri Dec 31 2004 Dave Jones <davej at redhat.com>
- Drop 4g/4g patch completely.

* Tue Dec 28 2004 Dave Jones <davej at redhat.com>
- Drop bogus ethernet slab cache.

* Thu Dec 23 2004 Dave Jones <davej at redhat.com>
- Fix bio error propagation.
- Clear ebp on sysenter return.
- Extra debugging info on OOM kill.
- exit() race fix.
- Fix refcounting order in sd/sr, fixing cable pulls on USB storage.
- IGMP source filter fixes.
- Fix ext2/3 leak on umount.
- fix missing wakeup in ipc/sem
- Fix another tux corner case bug.

* Wed Dec 22 2004 Dave Jones <davej at redhat.com>
- Add another ipod to the unusual usb devices list. (#142779)

* Tue Dec 21 2004 Dave Jones <davej at redhat.com>
- Fix two silly bugs in the AGP posting fixes.

* Thu Dec 16 2004 Dave Jones <davej at redhat.com>
- Better version of the PCI Posting fixes for agpgart.
- Add missing cache flush to the AGP code.

* Sun Dec 12 2004 Dave Jones <davej at redhat.com>
- fix false ECHILD result from wait* with zombie group leader.

* Sat Dec 11 2004 Dave Jones <davej at redhat.com>
- Workaround broken pci posting in AGPGART.
- Make sure VC resizing fits in s16.

* Fri Dec 10 2004 Dave Jones <davej at redhat.com>
- Prevent block device queues from being shared in viocd. (#139018)
- Libata updates. (#132848, #138405)
- aacraid: remove aac_handle_aif (#135527)
- fix uninitialized variable in waitid(2). (#142505)
- Fix CMSG validation checks wrt. signedness.
- Fix memory leak in ip_conntrack_ftp
- [IPV4]: Do not leak IP options.
- ppc64: Align PACA buffer for hypervisor's use. (#141817)
- ppc64: Indicate that the veth link is always up. (#135402)
- ppc64: Quiesce OpenFirmware stdin device at boot. (#142009)
- SELinux: Fix avc_node_update oops. (#142353)
- Fix CCISS ioctl return code.
- Make ppc64's pci_alloc_consistent() conform to documentation. (#140047)
- Disable tiglusb module. (#142102)
- E1000 64k-alignment fix. (#140047)
- Disable tiglusb module. (#142102)
- ID updates for cciss driver.
- Fix overflows in USB Edgeport-IO driver. (#142258)
- Fix wrong TASK_SIZE for 32bit processes on x86-64. (#141737)
- Fix ext2/ext3 xattr/mbcache race. (#138951)
- Fix bug where __getblk_slow can loop forever when pages are partially mapped. (#140424)
- Add missing cache flushes in agpgart code.

* Wed Dec 08 2004 Dave Jones <davej at redhat.com>
- Enable EDD
- Enable ETH1394. (#138497)
- Workaround E1000 post-maturely writing back to TX descriptors. (#133261)
- Fix the previous E1000 errata workaround.
- Several IDE fixes from 2.6.9-ac
- vm pageout throttling. (#133858)
- Fix Tux from oopsing. (#140918)
- Fix Tux/SELinux incompatability (#140916)
- Fix Tux/IPV6 problem. (#140916)
- ide: Fix possible oops on boot.
- Make spinlock debugging panic instead of printk.
- Update Emulex lpfc driver to 8.0.16
- Selected patches from 2.6.9-ac12
- ppc64: Fix inability to find space for TCE table (#138844)
- Fix compat fcntl F_GETLK{,64} (#141680)
- blkdev_get_blocks(): handle eof
- Another card reader for the whitelist. (#134094)

* Sat Dec 04 2004 Dave Jones <davej at redhat.com>
- Enable both old and new megaraid drivers.
- Add yet another card reader to usb scsi whitelist. (#141367)
- Fix oops in conntrack on rmmod.

* Fri Dec 03 2004 Dave Jones <davej at redhat.com>
- Pull in bits of -ac12
  Should fix the smbfs & visor issues among others.

* Thu Dec 02 2004 Dave Jones <davej at redhat.com>
- Drop the futex debug patch, it served its purpose.
- XFRM layer bug fixes
- ppc64: Convert to using ibm,read-slot-reset-state2 RTAS call
- ide: Make CSB6 driver support configurations.
- ide: Handle early EOF on CDs.
- Fix sx8 device naming in sysfs
- e100/e1000: return -EINVAL when setting rx-mini or rx-jumbo. (#140793)

* Wed Dec 01 2004 Dave Jones <davej at redhat.com>
- Disable 4G/4G for i686.
- Workaround for the E1000 erratum 23 (#140047)
- Remove bogus futex warning. (#138179)
- x86_64: Fix lost edge triggered irqs on UP kernel.
- x86_64: Reenable DRI for MGA.
- Workaround E1000 post-maturely writing back to TX descriptors (#133261)
- 3c59x: add EEPROM_RESET for 3c900 Boomerang
- Fix buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
- ext3: improves ext3's error logging when we encounter an on-disk corruption.
- ext3: improves ext3's ability to deal with corruption on-disk
- ext3: Handle double-delete of indirect blocks.
- Disable SCB2 flash driver for RHEL4. (#141142)

* Tue Nov 30 2004 Dave Jones <davej at redhat.com>
- x86_64: add an option to configure oops stack dump
- x86[64]: display phys_proc_id only when it is initialized
- x86_64: no TIOCSBRK/TIOCCBRK in ia32 emulation
- via-rhine: references __init code during resume
- Add barriers to generic timer code to prevent race. (#128242)
- ppc64: Add PURR and version data to /proc/ppc64/lparcfg
- Prevent xtime value becoming incorrect.
- scsi: return full SCSI status byte in SG_IO
- Fix show_trace() in irq context with CONFIG_4KSTACKS
- Adjust alignment of pagevec structure.
- md: make sure md always uses rdev_dec_pending properly.
- Make proc_pid_status not dereference dead task structs.
- sg: Fix oops of sg_cmd_done and sg_release race (#140648)
- fix bad segment coalescing in blk_recalc_rq_segments()
- fix missing security_*() check in net/compat.c
- ia64/x86_64/s390 overlapping vma fix
- Update Emulex lpfc to 8.0.15

* Mon Nov 29 2004 Dave Jones <davej at redhat.com>
- Add another card reader to whitelist. (#141022)
- Fix possible hang in do_wait() (#140042)
- Fix ps showing wrong ppid. (#132030)
- Print advice to use -hugemem if >=16GB of memory is detected.
- Enable ICOM serial driver. (#136150)
- Enable acpi hotplug driver for IA64.
- SCSI: fix USB forced remove oops.
- ia64: add missing sn2 timer mask in time_interpolator code. (#140580)
- ia64: Fix hang reading /proc/pal/cpu0/tr_info (#139571)
- ia64: bump number of UARTS. (#139100)
- Fix ACPI debug level (#141292)
- Make EDD runtime configurable, and reenable.
- ppc64: IBM VSCSI driver race fix. (#138725)
- ppc64: Ensure PPC64 interrupts don't end up hard-disabled. (#139020, #131590)
- ppc64: Yet more sigsuspend/singlestep fixing. (#140102, #137931)
- x86-64: Implement ACPI based reset mechanism. (#139104)
- Backport 2.6.10rc sysfs changes needed for IBM hotplug driver. (#140372)
- Update Emulex lpfc driver to v8.0.14
- Optimize away the unconditional write to debug registers on signal delivery path.
- Fix up scsi_test_unit_ready() to work correctly with CD-ROMs.
- md: fix two little bugs in raid10
- Remove incorrect ELF check from module loading. (#140954)
- Plug leaks in error paths of aic driver.
- Add refcounting to scsi command allocation.
- Taint oopses on machine checks, bad_page()'s calls and forced rmmod's.
- Share Intel cache descriptors between x86 & x86-64.
- rx checksum support for gige nForce ethernet
- vm: vm_dirty_ratio initialisation fix

* Mon Nov 29 2004 Soeren Sandmann <sandmann at redhat.com>
- Build FC-3 kernel in RHEL build root

* Sun Nov 28 2004 Dave Jones <davej at redhat.com>
- Move 4g/4g kernel into -hugemem.

* Sat Nov 27 2004 Dave Jones <davej at redhat.com>
- Recognise Shuttle SN85G4 card reader. (#139163)

* Tue Nov 23 2004 Dave Jones <davej at redhat.com>
- Add futex debug patch.

* Mon Nov 22 2004 Dave Jones <davej at redhat.com>
- Update -ac patch to 2.6.9-ac11
- make tulip_stop_rxtx() wait for DMA to fully stop. (#138240)
- ACPI: Make LEqual less strict about operand types matching.
- scsi: avoid extra 'put' on devices in __scsi_iterate_device() (#138135)
- Fix bugs with SOCK_SEQPACKET AF_UNIX sockets
- Reenable token ring drivers. (#119345)
- SELinux: Map Unix seqpacket sockets to appropriate security class
- SELinux: destroy avtab node cache in policy load error path.
- AF_UNIX: Serialize dgram read using semaphore just like stream.
- lockd: NLM blocks locks don't sleep
- NFS lock recovery fixes
- Add more MODULE_VERSION tags (#136403)
- Update qlogic driver to 2.6.10rc2 level.
- cciss: fixes for clustering
- ieee802.11 update.
- ipw2100: update to ver 1.0.0
- ipw2200: update to ver 1.0.0
- Enable promisc mode on ipw2100
- 3c59x: reload EEPROM values at rmmod for needy cards
- ppc64: Prevent sigsuspend stomping on r4 and r5
- ppc64: Alternative single-step fix.
- fix for recursive netdump oops on x86_64
- ia64: Fix IRQ routing fix when booted with maxcpus=  (#138236)
- ia64: search the iommu for the correct size
- Deal with fraglists correctly on ipv4/ipv6 output
- Various statm accounting fixes (#139447)
- Reenable CMM /proc interface for s390 (#137397)

* Fri Nov 19 2004 Dave Jones <davej at redhat.com>
- e100: fix improper enabling of interrupts. (#139706)
- autofs4: allow map update recognition
- Various TCP fixes from 2.6.10rc
- Various netlink fixes from 2.6.10rc
- [IPV4]: Do not try to unhash null-netdev nexthops.
- ppc64: Make NUMA map CPU->node before bringing up the CPU (#128063)
- ppc64: sched domains / cpu hotplug cleanup. (#128063)
- ppc64: Add a CPU_DOWN_PREPARE hotplug CPU notifier (#128063)
- ppc64: Register a cpu hotplug notifier to reinitialize the
  scheduler domains hierarchy (#128063)
- ppc64: Introduce CPU_DOWN_FAILED notifier (#128063)
- ppc64: Make arch_destroy_sched_domains() conditional (#128063)
- ppc64: Use CPU_DOWN_FAILED notifier in the sched-domains hotplug code (#128063)
- Various updates to the SCSI midlayer from 2.6.10rc.
- vlan_dev: return 0 on vlan_dev_change_mtu success. (#139760)
- Update Emulex lpfc driver to v8013
- Fix problem with b44 driver and 4g/4g patch. (#118165)
- Prevent oops when loading aic79xx on machine without hardware. (#125982)
- Use correct spinlock functions in token ring net code. (#135462)
- scsi: Add reset ioctl capability to ULDs
- scsi: update ips driver to 7.10.18
- Reenable ACPI hotplug driver. (#139976, #140130, #132691)

This update can be downloaded from:

8155074c8f6d25a97d1ad9d1b03a9333  SRPMS/kernel-2.6.9-1.11_FC2.src.rpm
96043e3d73cb02f8aa11bd8efbb7aad8  x86_64/kernel-2.6.9-1.11_FC2.x86_64.rpm
326e7e05405e88965a9c1f40f08ee045  x86_64/kernel-smp-2.6.9-1.11_FC2.x86_64.rpm
47dcd13e588a099c7cccea1af94ac1e5  x86_64/debug/kernel-debuginfo-2.6.9-1.11_FC2.x86_64.rpm
6d91d3adf1b8f0addb34e4f6e35f9b68  x86_64/kernel-sourcecode-2.6.9-1.11_FC2.noarch.rpm
5cfe19353288e451b6e0b2dc02ed24e4  x86_64/kernel-doc-2.6.9-1.11_FC2.noarch.rpm
ce968304f9e09e17152823af2ae4c5ec  i386/kernel-2.6.9-1.11_FC2.i586.rpm
c8b5768b852305eacc9750a37206dc61  i386/kernel-smp-2.6.9-1.11_FC2.i586.rpm
0ff63aac5409f2239db62408a87a029a  i386/debug/kernel-debuginfo-2.6.9-1.11_FC2.i586.rpm
a8ebffa63797616bd00067174773ae80  i386/kernel-2.6.9-1.11_FC2.i686.rpm
9f78a5388a6e41772fb9bc2c1baf5746  i386/kernel-smp-2.6.9-1.11_FC2.i686.rpm
2cd0baa5c38dc0118bf025fd45ed1af8  i386/debug/kernel-debuginfo-2.6.9-1.11_FC2.i686.rpm
6d91d3adf1b8f0addb34e4f6e35f9b68  i386/kernel-sourcecode-2.6.9-1.11_FC2.noarch.rpm
5cfe19353288e451b6e0b2dc02ed24e4  i386/kernel-doc-2.6.9-1.11_FC2.noarch.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  

fedora-announce-list mailing list
fedora-announce-list at redhat.com

More information about the UCI-Linux mailing list