RHSA-2011:0162: Important: kernel security and bug fix update

First published: Tue Jan 18 2011(Updated: )

The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br>This update fixes the following security issues:<br><li> A heap overflow flaw was found in the Linux kernel's Transparent</li> Inter-Process Communication protocol (TIPC) implementation. A local,<br>unprivileged user could use this flaw to escalate their privileges.<br>(CVE-2010-3859, Important)<br><li> Missing sanity checks were found in gdth_ioctl_alloc() in the gdth driver</li> in the Linux kernel. A local user with access to "/dev/gdth" on a 64-bit<br>system could use these flaws to cause a denial of service or escalate their<br>privileges. (CVE-2010-4157, Moderate)<br><li> A NULL pointer dereference flaw was found in the Bluetooth HCI UART</li> driver in the Linux kernel. A local, unprivileged user could use this flaw<br>to cause a denial of service. (CVE-2010-4242, Moderate)<br><li> A flaw was found in the Linux kernel's garbage collector for AF_UNIX</li> sockets. A local, unprivileged user could use this flaw to trigger a<br>denial of service (out-of-memory condition). (CVE-2010-4249, Moderate)<br><li> Missing initialization flaws were found in the Linux kernel. A local,</li> unprivileged user could use these flaws to cause information leaks.<br>(CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080,<br>CVE-2010-4083, CVE-2010-4158, Low)<br>Red Hat would like to thank Alan Cox for reporting CVE-2010-4242; Vegard<br>Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting<br>CVE-2010-3876; Kees Cook for reporting CVE-2010-4072; and Dan Rosenberg for<br>reporting CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4083, and<br>CVE-2010-4158.<br>This update also fixes the following bugs:<br><li> A flaw was found in the Linux kernel where, if used in conjunction with</li> another flaw that can result in a kernel Oops, could possibly lead to<br>privilege escalation. It does not affect Red Hat Enterprise Linux 4 as the<br>sysctl panic_on_oops variable is turned on by default. However, as a<br>preventive measure if the variable is turned off by an administrator, this<br>update addresses the issue. Red Hat would like to thank Nelson Elhage for<br>reporting this vulnerability. (BZ#659568)<br><li> On Intel I/O Controller Hub 9 (ICH9) hardware, jumbo frame support is</li> achieved by using page-based sk_buff buffers without any packet split. The<br>entire frame data is copied to the page(s) rather than some to the<br>skb-&gt;data area and some to the page(s) when performing a typical<br>packet-split. This caused problems with the filtering code and frames were<br>getting dropped before they were received by listening applications. This<br>bug could eventually lead to the IP address being released and not being<br>able to be re-acquired from DHCP if the MTU (Maximum Transfer Unit) was<br>changed (for an affected interface using the e1000e driver). With this<br>update, frames are no longer dropped and an IP address is correctly<br>re-acquired after a previous release. (BZ#664667)<br>Users should upgrade to these updated packages, which contain backported<br>patches to correct these issues. The system must be rebooted for this<br>update to take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2011:0162
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness