-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:150 http://www.mandriva.com/security/ _______________________________________________________________________ Package : kernel Date : August 25, 2006 Affected: Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Prior to 2.6.15.5, the kerenl allowed local users to obtain sensitive information via a crafted XFS ftruncate call (CVE-2006-0554). Prior to 2.6.15.5, the kernel did not properly handle uncanonical return addresses on Intel EM64T CPUs causing the kernel exception handler to run on the user stack with the wrong GS (CVE-2006-0744). ip_conntrack_core.c in the 2.6 kernel, and possibly nf_conntrack_l3proto_ipv4.c did not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which could allow local users to obtain portions of potentially sensitive memory (CVE-2006-1343). Prior to 2.6.16.17, the a buffer overflow in SCTP in the kernel allowed remote attackers to cause a Denial of Service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857). Prior to 2.6.16.17, SCTP in the kernel allowed remote attackers to cause a DoS (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters (CVE-2006-1858). Prior to 2.6.16, a directory traversal vulnerability in CIFS could allow a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1863). Prior to 2.6.16, a directory traversal vulnerability in smbfs could allow a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864). Prior to 2.6.17, Linux SCTP allowed a remote attacker to cause a DoS (infinite recursion and crash) via a packet that contains two or more DATA fragments, which caused an skb pointer to refer back to itself when the full message is reassembled, leading to an infinite recursion in the sctp_skb_pull function (CVE-2006-2274). The dvd_read_bca function in the DVD handling code assigns the wrong value to a length variable, which could allow local users to execute arbitrary code via a crafted USB storage device that triggers a buffer overflow (CVE-2006-2935). Prior to 2.6.17, the ftdi_sio driver could allow local users to cause a DoS (memory consumption) by writing more data to the serial port than the hardware can handle, causing the data to be queued (CVE-2006-2936). The 2.6 kernel, when using both NFS and EXT3, allowed remote attackers to cause a DoS (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), triggering an error and causing an exported directory to be remounted read-only (CVE-2006-3468). The 2.6 kernel's SCTP was found to cause system crashes and allow for the possibility of local privilege escalation due to a bug in the get_user_iov_size() function that doesn't properly handle overflow when calculating the length of iovec (CVE-2006-3745). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0554 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1857 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3745 _______________________________________________________________________ Updated Packages: Corporate 3.0: 9d14c43145beafb4e63fe8cae758d0f6 corporate/3.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.i586.rpm e7331f51ed5cf4edee33efcb01f49243 corporate/3.0/RPMS/kernel-BOOT-2.6.3.35mdk-1-1mdk.i586.rpm dcb027450192d7d73f407f30d3e3e852 corporate/3.0/RPMS/kernel-enterprise-2.6.3.35mdk-1-1mdk.i586.rpm 59f29ace5cc862c84cace5d046d6302e corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.35mdk-1-1mdk.i586.rpm 6b062c5059587a927f31fea04fb91a3a corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.35mdk-1-1mdk.i586.rpm 744287198a20913bd38b1c1d37a68bd2 corporate/3.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.i586.rpm 17780ad90f4989615baab5f115074f8a corporate/3.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.i586.rpm 4555bac09b7ce50d83b97c47af0b2724 corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.i586.rpm 7165754462cdfcd92c894f56623bc8b0 corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.i586.rpm e59db387f0642f5293dc60283832557b corporate/3.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm Corporate 3.0/X86_64: 918a70fe836d900b217f442b5208c779 x86_64/corporate/3.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.x86_64.rpm dd1ea77b15bd07c75f5ab7caf00dbde0 x86_64/corporate/3.0/RPMS/kernel-BOOT-2.6.3.35mdk-1-1mdk.x86_64.rpm c8964849f4142c2c51c3ddd298513753 x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.x86_64.rpm 7a98664c4ba5f0d50a500c1158a8fb08 x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.x86_64.rpm 3c4d5ca4f7a1a91d99fc182e499c9e76 x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.x86_64.rpm a25c6705ba2b70c85c1c86e68cb0d3cd x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.x86_64.rpm e59db387f0642f5293dc60283832557b x86_64/corporate/3.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm Multi Network Firewall 2.0: 5cab4be7c19a67689f33f01de208879e mnf/2.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.i586.rpm ee1db88c9010b3a1af0f5ea93ce86505 mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.35mdk-1-1mdk.i586.rpm 0e3618eec1dcb5bca817ecec7e912836 mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.35mdk-1-1mdk.i586.rpm ded09245567203340c86b3ddacf21b3a mnf/2.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.i586.rpm 7efdc84f2748f1c2237a72ef94d90b31 mnf/2.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.i586.rpm d12744fdab6bf6606ed13fae69b51f50 mnf/2.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE7xa9mqjQ0CJFipgRAsAAAKC/kOcYUfcUldfx8MGy87CHigyjSgCeJ/43 JsyWup/H/+NRqjHU1SGHaGc= =8KyZ -----END PGP SIGNATURE-----