RHSA-2010:0474: Important: kernel security and bug fix update
First published: Tue Jun 15 2010(Updated: )
The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br>Security fixes:<br><li> a NULL pointer dereference flaw was found in the Linux kernel NFSv4</li> implementation. Several of the NFSv4 file locking functions failed to check<br>whether a file had been opened on the server before performing locking<br>operations on it. A local, unprivileged user on a system with an NFSv4<br>share mounted could possibly use this flaw to cause a kernel panic (denial<br>of service) or escalate their privileges. (CVE-2009-3726, Important)<br><li> a flaw was found in the sctp_process_unk_param() function in the Linux</li> kernel Stream Control Transmission Protocol (SCTP) implementation. A remote<br>attacker could send a specially-crafted SCTP packet to an SCTP listening<br>port on a target system, causing a kernel panic (denial of service).<br>(CVE-2010-1173, Important)<br><li> a race condition between finding a keyring by name and destroying a freed</li> keyring was found in the Linux kernel key management facility. A local,<br>unprivileged user could use this flaw to cause a kernel panic (denial of<br>service) or escalate their privileges. (CVE-2010-1437, Important)<br>Red Hat would like to thank Simon Vallet for responsibly reporting<br>CVE-2009-3726; and Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia<br>Siemens Networks, and Wind River on behalf of their customer, for<br>responsibly reporting CVE-2010-1173.<br>Bug fixes:<br><li> RHBA-2007:0791 introduced a regression in the Journaling Block Device</li> (JBD). Under certain circumstances, removing a large file (such as 300 MB<br>or more) did not result in inactive memory being freed, leading to the<br>system having a large amount of inactive memory. Now, the memory is<br>correctly freed. (BZ#589155)<br><li> the timer_interrupt() routine did not scale lost real ticks to logical</li> ticks correctly, possibly causing time drift for 64-bit Red Hat Enterprise<br>Linux 4 KVM (Kernel-based Virtual Machine) guests that were booted with the<br>"divider=x" kernel parameter set to a value greater than 1. "warning: many<br>lost ticks" messages may have been logged on the affected guest systems.<br>(BZ#590551)<br><li> a bug could have prevented NFSv3 clients from having the most up-to-date</li> file attributes for files on a given NFSv3 file system. In cases where a<br>file type changed, such as if a file was removed and replaced with a<br>directory of the same name, the NFSv3 client may not have noticed this<br>change until stat(2) was called (for example, by running "ls -l").<br>(BZ#596372)<br><li> RHBA-2007:0791 introduced bugs in the Linux kernel PCI-X subsystem. These</li> could have caused a system deadlock on some systems where the BIOS set the<br>default Maximum Memory Read Byte Count (MMRBC) to 4096, and that also use<br>the Intel PRO/1000 Linux driver, e1000. Errors such as "e1000: eth[x]:<br>e1000_clean_tx_irq: Detected Tx Unit Hang" were logged. (BZ#596374)<br><li> an out of memory condition in a KVM guest, using the virtio-net network</li> driver and also under heavy network stress, could have resulted in<br>that guest being unable to receive network traffic. Users had to manually<br>remove and re-add the virtio_net module and restart the network service<br>before networking worked as expected. Such memory conditions no longer<br>prevent KVM guests receiving network traffic. (BZ#597310)<br><li> when an SFQ qdisc that limited the queue size to two packets was added to</li> a network interface, sending traffic through that interface resulted in a<br>kernel crash. Such a qdisc no longer results in a kernel crash. (BZ#597312)<br><li> when an NFS client opened a file with the O_TRUNC flag set, it received</li> a valid stateid, but did not use that stateid to perform the SETATTR call.<br>Such cases were rejected by Red Hat Enterprise Linux 4 NFS servers with an<br>"NFS4ERR_BAD_STATEID" error, possibly preventing some NFS clients from<br>writing files to an NFS file system. (BZ#597314)<br>Users should upgrade to these updated packages, which contain backported<br>patches to correct these issues. The system must be rebooted for this<br>update to take effect.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529227
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=584645
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=585094
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=589155
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=590551
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=596372
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=596374
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=597310
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=597312
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=597314
- http://www.redhat.com/security/updates/classification/#important
- http://kbase.redhat.com/faq/docs/DOC-31052
- https://access.redhat.com/errata/RHSA-2010:0474 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2010:0474
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness