ID CVE-2007-2525
Summary Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.
References
Vulnerable Configurations
  • Linux Kernel 2.6.21 git7
    cpe:2.3:o:linux:linux_kernel:2.6.21:git7
CVSS
Base: 4.9 (as of 10-05-2007 - 09:35)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4487.NASL
    description This kernel update fixes the following security problems : - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. Since this value can only be changed by a root user, exploitability is low. - CVE-2007-2525: A memory leak in the PPPoE driver can be abused by local users to cause a denial-of-service condition. - CVE-2007-3851: On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. and the following non security bugs : - patches.arch/x86-fam10-mtrr: mtrr: fix size_or_mask and size_and_mask [#237736] - patches.fixes/usb_nokia6233_fix1.patch: usb: rndis_host: fix crash while probing a Nokia S60 mobile [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usbnet: init fault (oops) cleanup, whitespace fixes [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usb: unusual_devs.h entry for Nokia 6233 [#244459] - patches.fixes/bt_broadcom_reset.diff: quirky Broadcom device [#257303] - patches.arch/i386-compat-vdso: i386: allow debuggers to access the vsyscall page with compat vDSO [#258433] - - patches.fixes/anycast6-unbalanced-inet6_dev-refcnt.patch : Fix netdevice reference leak when reading from /proc/net/anycast6 [#285336] - - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-b etter: SCSI: throttle SG_DXFER_TO_FROM_DEV warning message better [#290117] - - patches.fixes/nf_conntrack_h323-out-of-bounds-index.diff : nf_conntrack_h323: add checking of out-of-range on choices' index values [#290611] - patches.fixes/ppc-fpu-corruption-fix.diff: ppc: fix corruption of fpu [#290622] - - patches.fixes/ppp-fix-osize-too-small-errors-when-decodi ng-m ppe.diff: ppp: Fix osize too small errors when decoding mppe [#291102] - patches.fixes/hugetlbfs-stack-grows-fix.patch: Don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.fixes/pwc_dos.patch: fix a disconnect method waiting for user space to close a file. A malicious user can stall khubd indefinitely long [#302063] [#302194] - patches.suse/kdb.add-unwind-info-to-kdb_call: Add unwind info to kdb_call() to fix build of KDB kernel on i386 [#305209] - Updated config files: enable KDB for kernel-debug on i386. [#305209]
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27298
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27298
    title openSUSE 10 Security Update : kernel (kernel-4487)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0376.NASL
    description Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (CVE-2006-7203, Important). * a flaw in the PPP over Ethernet implementation that allowed a remote user to cause a denial of service (CVE-2007-2525, Important). * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak (CVE-2007-1353, Low). * a bug in the random number generator that prevented the manual seeding of the entropy pool (CVE-2007-2453, Low). In addition to the security issues described above, fixes for the following have been included : * a race condition between ext3_link/unlink that could create an orphan inode list corruption. * a bug in the e1000 driver that could lead to a watchdog timeout panic. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43642
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43642
    title CentOS 5 : kernel (CESA-2007:0376)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-510-1.NASL
    description A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) Zhongling Wen discovered that the h323 conntrack handler did not correctly handle certain bitfields. A remote attacker could send a specially crafted packet and cause a denial of service. (CVE-2007-3642) A flaw was discovered in the CIFS mount security checking. Remote attackers could spoof CIFS network traffic, which could lead a client to trust the connection. (CVE-2007-3843) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28114
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28114
    title Ubuntu 7.04 : linux-source-2.6.20 vulnerabilities (USN-510-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070625_KERNEL_ON_SL4_X.NASL
    description These new kernel packages contain fixes for the security issues described below : - a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) - a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) - a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) - a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) - a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) - a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) - a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) - a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) - a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : - the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. - the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. - the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. - the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. NOTE1: From The Upstream Vendors release notes 'During PCI probing, Red Hat Enterprise Linux 4 Update 5 attempts to use information obtained from MCFG (memory-mapped PCI configuration space). On AMD-systems, this type of access does not work on some buses, as the kernel cannot parse the MCFG table. To work around this, add the parameter pci=conf1 or pci=nommconf on the kernel boot line in /etc/grub.conf. For example : title Red Hat Enterprise Linux AS (2.6.9-42.0.2.EL) root (hd0,0) kernel /vmlinuz-2.6.9-42.0.2.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet pci=conf1 initrd /initrd-2.6.9-42.0.2.EL.img Doing this instructs the kernel to use PCI Conf1 access instead of MCFG-based access.' NOTE2: From The Upstream Vendors Knowledge Base 'Why did the ordering of my NIC devices change in Red Hat Enterprise Linux 4.5? The 2.6.9-55 version of the Red Hat Enterprise Linux 4 kernel (Update 5) reverts to the 2.4 ordering of network interface cards (NICs) on certain systems. Note that if the 'HWADDR=MAC ADDRESS' line is present in the /etc/sysconfig/network-scripts/ifcfg-ethX files, the NIC ordering will not change. To restore the original 2.6 ordering, which is different from the 2.4 ordering, boot with the option pci=nobfsort '
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60215
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60215
    title Scientific Linux Security Update : kernel on SL4.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-486-1.NASL
    description The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to a variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) A flaw was discovered in the IPv6 stack's handling of type 0 route headers. By sending a specially crafted IPv6 packet, a remote attacker could cause a denial of service between two IPv6 hosts. (CVE-2007-2242) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28087
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28087
    title Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-486-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1504.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process' umask which may lead to unintentionally relaxed permissions. - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. - CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. - CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. - CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 3.1 (sarge) kernel-image-2.6.8-alpha 2.6.8-17sarge1 kernel-image-2.6.8-amd64 2.6.8-17sarge1 kernel-image-2.6.8-hppa 2.6.8-7sarge1 kernel-image-2.6.8-i386 2.6.8-17sarge1 kernel-image-2.6.8-ia64 2.6.8-15sarge1 kernel-image-2.6.8-m68k 2.6.8-5sarge1 kernel-image-2.6.8-s390 2.6.8-6sarge1 kernel-image-2.6.8-sparc 2.6.8-16sarge1 kernel-patch-powerpc-2.6.8 2.6.8-13sarge1 fai-kernels 1.9.1sarge8
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 31148
    published 2008-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31148
    title Debian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0376.NASL
    description From Red Hat Security Advisory 2007:0376 : Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (CVE-2006-7203, Important). * a flaw in the PPP over Ethernet implementation that allowed a remote user to cause a denial of service (CVE-2007-2525, Important). * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak (CVE-2007-1353, Low). * a bug in the random number generator that prevented the manual seeding of the entropy pool (CVE-2007-2453, Low). In addition to the security issues described above, fixes for the following have been included : * a race condition between ext3_link/unlink that could create an orphan inode list corruption. * a bug in the e1000 driver that could lead to a watchdog timeout panic. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67502
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67502
    title Oracle Linux 5 : kernel (ELSA-2007-0376)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1503.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-2731 infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. - CVE-2006-4814 Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. - CVE-2006-5753 Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6053 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6106 Marcel Holtman discovered multiple buffer overflows in the Bluetooth subsystem which can be used to trigger a remote DoS (crash) and potentially execute arbitrary code. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-1592 Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops). - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. - CVE-2007-4311 PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. - CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 3.1 (sarge) alsa-modules-i386 1.0.8+2sarge2 kernel-image-2.4.27-arm 2.4.27-2sarge6 kernel-image-2.4.27-m68k 2.4.27-3sarge6 kernel-image-speakup-i386 2.4.27-1.1sarge5 kernel-image-2.4.27-alpha 2.4.27-10sarge6 kernel-image-2.4.27-s390 2.4.27-2sarge6 kernel-image-2.4.27-sparc 2.4.27-9sarge6 kernel-image-2.4.27-i386 2.4.27-10sarge6 kernel-image-2.4.27-ia64 2.4.27-10sarge6 kernel-patch-2.4.27-mips 2.4.27-10.sarge4.040815-3 kernel-patch-powerpc-2.4.27 2.4.27-10sarge6 kernel-latest-2.4-alpha 101sarge3 kernel-latest-2.4-i386 101sarge2 kernel-latest-2.4-s390 2.4.27-1sarge2 kernel-latest-2.4-sparc 42sarge3 i2c 1:2.9.1-1sarge2 lm-sensors 1:2.9.1-1sarge4 mindi-kernel 2.4.27-2sarge5 pcmcia-modules-2.4.27-i386 3.2.5+2sarge2 hostap-modules-i386 1:0.3.7-1sarge3 systemimager 3.2.3-6sarge5
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 31147
    published 2008-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31147
    title Debian DSA-1503-1 : kernel-source-2.4.27 - several vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0488.NASL
    description From Red Hat Security Advisory 2007:0488 : Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. * the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. * the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux kernel team for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67520
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67520
    title Oracle Linux 4 : kernel (ELSA-2007-0488)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4186.NASL
    description This kernel update fixes the following security problems : - The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. (CVE-2007-2242) The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. (CVE-2007-2453) - A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. (CVE-2007-2876) - Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. (CVE-2007-3105) Since this value can only be changed by a root user, exploitability is low. - The signal handling in the Linux kernel, when run on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency. (CVE-2007-3107) - Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized. (CVE-2007-2525) - The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel did not limit the amount of memory used by a caller, which allowed local users to cause a denial of service (memory consumption). (CVE-2007-3513) - A local attacker could send a death signal to a setuid root program under certain conditions, potentially causing unwanted behaviour in this program. (CVE-2007-3848) - On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. (CVE-2007-3851) - Fixed a denial of service possibility where a local attacker with access to a pwc camera device could hang the USB subsystem. [#302194] and the following non security bugs : - patches.arch/ppc-oprofile-970mp.patch: enable ppc64/970 MP, requires oprofile 0.9.3 [#252696] - patches.arch/x86_64-no-tsc-with-C3: don't use TSC on x86_64 Intel systems when CPU has C3 [#254061] - patches.arch/x86_64-hpet-lost-interrupts-fix.patch: backport x86_64 hpet lost interrupts code [#257035] - patches.fixes/fusion-nat-consumption-fix: handle a potential race in mptbase. This fixes a NaT consumption crash [#257412] - patches.arch/ia64-skip-clock-calibration: enabled [#259501] - patches.fixes/md-raid1-handle-read-error: Correctly handle read errors from a failed drive in raid1 [#261459] - patches.arch/ia64-fix-kdump-on-init: kdump on INIT needs multi-nodes sync-up (v.2) [#265764] - patches.arch/ia64-perfmon-fix-2: race condition between pfm_context_create and pfm_read [#268131] - patches.fixes/cpufreq_ppc_boot_option.patch: workaround for _PPC (BIOS cpufreq limitations) [#269579] - patches.arch/acpi_package_object_support.patch: ACPI package object as method parameter support (in AML) [#270956] - patches.fixes/ia64_cpufreq_PDC.patch: correctly assign as cpufreq capable driver (_PDC) to BIOS [#270973] - patches.arch/ia64-kdump-hpzx1-ioc-workaround: update to latest upstream version of the patch [#271158] - patches.suse/delayacct_memleak.patch: Fix delayacct memory leak [#271187] - patches.fixes/fc_transport-check-portstate-before-scan: check FC portstates before invoking target scan [#271338] - patches.fixes/unusual14cd.patch: quirk for 14cd:6600 [#274087] - patches.fixes/reiserfs-change_generation_on_update_sd.di ff: fix assertion failure in reiserfs [#274288] - patches.drivers/d-link-dge-530t-should-use-the-skge-driv er.patch: D-Link DGE-530T should use the skge driver [#275376] - patches.arch/ia64-dont-unwind-running-tasks.patch: Only unwind non-running tasks [#275854] - patches.fixes/dm-mpath-rdac-avt-support: short circuit RDAC hardware handler in AVT mode [#277834] - patches.fixes/lkcd-re-enable-valid_phys_addr_range: re-enable the valid_phys_addr_range() check [#279433] - patches.drivers/cciss-panic-on-reboot: when root filesystem is xfs the server cannot do a second reboot [#279436] Also resolves same issue in [#291759]. - patches.drivers/ide-hpt366-fix-302n-oops: fix hpt302n oops [#279705] - patches.fixes/serial-8250-backup-timer-2-deadlock-fix: fix possible deadlock [#280771] - patches.fixes/nfs-osync-error-return: ensure proper error return from O_SYNC writes [#280833] - patches.fixes/acpi_pci_hotplug_poweroff.patch: ACPI PCI hotplug driver acpiphp unable to power off PCI slot [#281234] - patches.drivers/pci-hotplug-acpiphp-remove-hot-plug-para meter-write-to-pci-host-bridge.patch: remove hot plug parameter write to PCI host bridge [#281239] - patches.fixes/scsi-set-correct-resid: Incorrect 'resid' field values when using a tape device [#281640] - patches.drivers/usb-edgeport-epic-support.patch: USB: add EPIC support to the io_edgeport driver [#281921] - patches.fixes/usb-hid-ncr-no-init-reports.patch: HID: Don't initialize reports for NCR devices [#281921] - patches.drivers/ppc-power6-ehea.patch: use decimal values in sysfs propery logical_port_id, fix panic when adding / removing logical eHEA ports [#283070] - patches.arch/ppc-power6-ebus.patch: DLPAR Adapter add/remove functionality for eHEA [#283239] - patches.fixes/nfs-enospc: Return ENOSPC and EDQUOT to NFS write requests more promptly [#284042] - patches.drivers/pci-hotplug-acpiphp-avoid-acpiphp-cannot -get-bridge-info-pci-hotplug-failure.patch: PCI: hotplug: acpiphp: avoid acpiphp 'cannot get bridge info' PCI hotplug failure [#286193] - patches.drivers/lpfc-8.1.10.9-update: lpfc update to 8.1.10.9 [#286223] - patches.fixes/make-swappiness-safer-to-use.patch: Handle low swappiness gracefully [#288799] - patches.arch/ppc-oprofile-power5plusplus.patch: oprofile support for Power 5++ [#289223] - patches.drivers/ppc-power6-ehea.patch: Fixed possible kernel panic on VLAN packet recv [#289301] - patches.fixes/igrab_should_check_for_i_clear.patch: igrab() should check for I_CLEAR [#289576] - patches.fixes/wait_for_sysfs_population.diff: Driver core: bus device event delay [#289964] - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-better: better throttling of SG_DXFER_TO_FROM_DEV warning messages [#290117] - patches.arch/mark-unwind-info-for-signal-trampolines-in- vdsos.patch: Mark unwind info for signal trampolines in vDSOs [#291421] - patches.fixes/hugetlbfs-stack-grows-fix.patch: don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.drivers/alsa-post-sp1-hda-analog-update: add support of of missing AD codecs [#294471] - patches.drivers/alsa-post-sp1-hda-conexant-fixes: fix unterminated arrays [#294480] - patches.fixes/fix_hpet_init_race.patch: fix a race in HPET initialization on x86_64 resulting in a lockup on boot [#295115] - patches.drivers/alsa-post-sp1-hda-sigmatel-pin-fix: Fix number of pin widgets with STAC codecs [#295653] - patches.fixes/pci-pcieport-driver-remove-invalid-warning -message.patch: PCI: pcieport-driver: remove invalid warning message [#297135] [#298561] - patches.kernel.org/patch-2.6.16.NN-$((NN+1)), NN = 18,...,52: update to Kernel 2.6.16.53; lots of bugfixes [#298719] [#186582] [#186583] [#186584] - patches.fixes/ocfs2-1.2-svn-r3027.diff: proactive patch [#298845] - patches.drivers/b44-phy-fix: Fix frequent PHY resets under load on b44 [#301653] - dd patches.arch/ppc-eeh-node-status-okay.patch firmware returns 'okay' instead of 'ok' for node status [#301788]
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 59123
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59123
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4186)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0488.NASL
    description Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. * the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. * the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux kernel team for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25605
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25605
    title RHEL 4 : kernel (RHSA-2007:0488)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1356.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2453 A couple of issues with random number generation were discovered. Slightly less random numbers resulted from hashing a subset of the available entropy. Zero-entropy systems were seeded with the same inputs at boot time, resulting in repeatable series of random numbers. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-2876 Vilmos Nebehaj discovered a NULL pointer dereference condition in the netfilter subsystem. This allows remote systems which communicate using the SCTP protocol to crash a system by creating a connection with an unknown chunk type. - CVE-2007-3513 Oliver Neukum reported an issue in the usblcd driver which, by not limiting the size of write buffers, permits local users with write access to trigger a DoS by consuming all available memory. - CVE-2007-3642 Zhongling Wen reported an issue in nf_conntrack_h323 where the lack of range checking may lead to NULL pointer dereferences. Remote attackers could exploit this to create a DoS condition (system crash). - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-3851 Dave Airlie reported that Intel 965 and above chipsets have relocated their batch buffer security bits. Local X server users may exploit this to write user data to arbitrary physical memory addresses. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch1. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch4 user-mode-linux 2.6.18-1um-2etch3
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25909
    published 2007-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25909
    title Debian DSA-1356-1 : linux-2.6 - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-171.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The Linux kernel did not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allowed local users to cause a denial of service (process crash) (CVE-2006-5755). The compat_sys_mount function in fs/compat.c allowed local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode (CVE-2006-7203). The nfnetlink_log function in netfilter allowed an attacker to cause a denial of service (crash) via unspecified vectors which would trigger a NULL pointer dereference (CVE-2007-1496). The nf_conntrack function in netfilter did not set nfctinfo during reassembly of fragmented packets, which left the default value as IP_CT_ESTABLISHED and could allow remote attackers to bypass certain rulesets using IPv6 fragments (CVE-2007-1497). The netlink functionality did not properly handle NETLINK_FIB_LOOKUP replies, which allowed a remote attacker to cause a denial of service (resource consumption) via unspecified vectors, probably related to infinite recursion (CVE-2007-1861). A typo in the Linux kernel caused RTA_MAX to be used as an array size instead of RTN_MAX, which lead to an out of bounds access by certain functions (CVE-2007-2172). The IPv6 protocol allowed remote attackers to cause a denial of service via crafted IPv6 type 0 route headers that create network amplification between two routers (CVE-2007-2242). The random number feature did not properly seed pools when there was no entropy, or used an incorrect cast when extracting entropy, which could cause the random number generator to provide the same values after reboots on systems without an entropy source (CVE-2007-2453). A memory leak in the PPPoE socket implementation allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized (CVE-2007-2525). An integer underflow in the cpuset_tasks_read function, when the cpuset filesystem is mounted, allowed local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file (CVE-2007-2875). The sctp_new function in netfilter allowed remote attackers to cause a denial of service by causing certain invalid states that triggered a NULL pointer dereference (CVE-2007-2876). In addition to these security fixes, other fixes have been included such as : - Fix crash on netfilter when nfnetlink_log is used on certain hooks on packets forwarded to or from a bridge - Fixed busy sleep on IPVS which caused high load averages - Fixed possible race condition on ext[34]_link - Fixed missing braces in condition block that led to wrong behaviour in NFS - Fixed XFS lock deallocation that resulted in oops when unmounting To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 25968
    published 2007-09-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25968
    title Mandrake Linux Security Advisory : kernel (MDKSA-2007:171)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0488.NASL
    description Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. * the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. * the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux kernel team for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25575
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25575
    title CentOS 4 : kernel (CESA-2007:0488)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0376.NASL
    description Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (CVE-2006-7203, Important). * a flaw in the PPP over Ethernet implementation that allowed a remote user to cause a denial of service (CVE-2007-2525, Important). * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak (CVE-2007-1353, Low). * a bug in the random number generator that prevented the manual seeding of the entropy pool (CVE-2007-2453, Low). In addition to the security issues described above, fixes for the following have been included : * a race condition between ext3_link/unlink that could create an orphan inode list corruption. * a bug in the e1000 driver that could lead to a watchdog timeout panic. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25538
    published 2007-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25538
    title RHEL 5 : kernel (RHSA-2007:0376)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070614_KERNEL_ON_SL5_X.NASL
    description a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (CVE-2006-7203, Important). a flaw in the PPP over Ethernet implementation that allowed a remote user to cause a denial of service (CVE-2007-2525, Important). a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak (CVE-2007-1353, Low). a bug in the random number generator that prevented the manual seeding of the entropy pool (CVE-2007-2453, Low). In addition to the security issues described above, fixes for the following have been included : - a race condition between ext3_link/unlink that could create an orphan inode list corruption. - a bug in the e1000 driver that could lead to a watchdog timeout panic.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60209
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60209
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-489-1.NASL
    description A flaw was discovered in dvb ULE decapsulation. A remote attacker could send a specially crafted message and cause a denial of service. (CVE-2006-4623) The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to an variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw was discovered in the cluster manager. A remote attacker could connect to the DLM port and block further DLM operations. (CVE-2007-3380) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28090
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28090
    title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-489-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4185.NASL
    description This kernel update fixes the following security problems : - The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. (CVE-2007-2242) The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. (CVE-2007-2453) - A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. (CVE-2007-2876) - Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. (CVE-2007-3105) Since this value can only be changed by a root user, exploitability is low. - The signal handling in the Linux kernel, when run on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency. (CVE-2007-3107) - Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized. (CVE-2007-2525) - The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel did not limit the amount of memory used by a caller, which allowed local users to cause a denial of service (memory consumption). (CVE-2007-3513) - A local attacker could send a death signal to a setuid root program under certain conditions, potentially causing unwanted behaviour in this program. (CVE-2007-3848) - On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. (CVE-2007-3851) - Fixed a denial of service possibility where a local attacker with access to a pwc camera device could hang the USB subsystem. [#302194] and the following non security bugs : - patches.arch/ppc-oprofile-970mp.patch: enable ppc64/970 MP, requires oprofile 0.9.3 [#252696] - patches.arch/x86_64-no-tsc-with-C3: don't use TSC on x86_64 Intel systems when CPU has C3 [#254061] - patches.arch/x86_64-hpet-lost-interrupts-fix.patch: backport x86_64 hpet lost interrupts code [#257035] - patches.fixes/fusion-nat-consumption-fix: handle a potential race in mptbase. This fixes a NaT consumption crash [#257412] - patches.arch/ia64-skip-clock-calibration: enabled [#259501] - patches.fixes/md-raid1-handle-read-error: Correctly handle read errors from a failed drive in raid1 [#261459] - patches.arch/ia64-fix-kdump-on-init: kdump on INIT needs multi-nodes sync-up (v.2) [#265764] - patches.arch/ia64-perfmon-fix-2: race condition between pfm_context_create and pfm_read [#268131] - patches.fixes/cpufreq_ppc_boot_option.patch: workaround for _PPC (BIOS cpufreq limitations) [#269579] - patches.arch/acpi_package_object_support.patch: ACPI package object as method parameter support (in AML) [#270956] - patches.fixes/ia64_cpufreq_PDC.patch: correctly assign as cpufreq capable driver (_PDC) to BIOS [#270973] - patches.arch/ia64-kdump-hpzx1-ioc-workaround: update to latest upstream version of the patch [#271158] - patches.suse/delayacct_memleak.patch: Fix delayacct memory leak [#271187] - patches.fixes/fc_transport-check-portstate-before-scan: check FC portstates before invoking target scan [#271338] - patches.fixes/unusual14cd.patch: quirk for 14cd:6600 [#274087] - patches.fixes/reiserfs-change_generation_on_update_sd.di ff: fix assertion failure in reiserfs [#274288] - patches.drivers/d-link-dge-530t-should-use-the-skge-driv er.patch: D-Link DGE-530T should use the skge driver [#275376] - patches.arch/ia64-dont-unwind-running-tasks.patch: Only unwind non-running tasks [#275854] - patches.fixes/dm-mpath-rdac-avt-support: short circuit RDAC hardware handler in AVT mode [#277834] - patches.fixes/lkcd-re-enable-valid_phys_addr_range: re-enable the valid_phys_addr_range() check [#279433] - patches.drivers/cciss-panic-on-reboot: when root filesystem is xfs the server cannot do a second reboot [#279436] Also resolves same issue in [#291759]. - patches.drivers/ide-hpt366-fix-302n-oops: fix hpt302n oops [#279705] - patches.fixes/serial-8250-backup-timer-2-deadlock-fix: fix possible deadlock [#280771] - patches.fixes/nfs-osync-error-return: ensure proper error return from O_SYNC writes [#280833] - patches.fixes/acpi_pci_hotplug_poweroff.patch: ACPI PCI hotplug driver acpiphp unable to power off PCI slot [#281234] - patches.drivers/pci-hotplug-acpiphp-remove-hot-plug-para meter-write-to-pci-host-bridge.patch: remove hot plug parameter write to PCI host bridge [#281239] - patches.fixes/scsi-set-correct-resid: Incorrect 'resid' field values when using a tape device [#281640] - patches.drivers/usb-edgeport-epic-support.patch: USB: add EPIC support to the io_edgeport driver [#281921] - patches.fixes/usb-hid-ncr-no-init-reports.patch: HID: Don't initialize reports for NCR devices [#281921] - patches.drivers/ppc-power6-ehea.patch: use decimal values in sysfs propery logical_port_id, fix panic when adding / removing logical eHEA ports [#283070] - patches.arch/ppc-power6-ebus.patch: DLPAR Adapter add/remove functionality for eHEA [#283239] - patches.fixes/nfs-enospc: Return ENOSPC and EDQUOT to NFS write requests more promptly [#284042] - patches.drivers/pci-hotplug-acpiphp-avoid-acpiphp-cannot -get-bridge-info-pci-hotplug-failure.patch: PCI: hotplug: acpiphp: avoid acpiphp 'cannot get bridge info' PCI hotplug failure [#286193] - patches.drivers/lpfc-8.1.10.9-update: lpfc update to 8.1.10.9 [#286223] - patches.fixes/make-swappiness-safer-to-use.patch: Handle low swappiness gracefully [#288799] - patches.arch/ppc-oprofile-power5plusplus.patch: oprofile support for Power 5++ [#289223] - patches.drivers/ppc-power6-ehea.patch: Fixed possible kernel panic on VLAN packet recv [#289301] - patches.fixes/igrab_should_check_for_i_clear.patch: igrab() should check for I_CLEAR [#289576] - patches.fixes/wait_for_sysfs_population.diff: Driver core: bus device event delay [#289964] - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-better: better throttling of SG_DXFER_TO_FROM_DEV warning messages [#290117] - patches.arch/mark-unwind-info-for-signal-trampolines-in- vdsos.patch: Mark unwind info for signal trampolines in vDSOs [#291421] - patches.fixes/hugetlbfs-stack-grows-fix.patch: don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.drivers/alsa-post-sp1-hda-analog-update: add support of of missing AD codecs [#294471] - patches.drivers/alsa-post-sp1-hda-conexant-fixes: fix unterminated arrays [#294480] - patches.fixes/fix_hpet_init_race.patch: fix a race in HPET initialization on x86_64 resulting in a lockup on boot [#295115] - patches.drivers/alsa-post-sp1-hda-sigmatel-pin-fix: Fix number of pin widgets with STAC codecs [#295653] - patches.fixes/pci-pcieport-driver-remove-invalid-warning -message.patch: PCI: pcieport-driver: remove invalid warning message [#297135] [#298561] - patches.kernel.org/patch-2.6.16.NN-$((NN+1)), NN = 18,...,52: update to Kernel 2.6.16.53; lots of bugfixes [#298719] [#186582] [#186583] [#186584] - patches.fixes/ocfs2-1.2-svn-r3027.diff: proactive patch [#298845] - patches.drivers/b44-phy-fix: Fix frequent PHY resets under load on b44 [#301653] - dd patches.arch/ppc-eeh-node-status-okay.patch firmware returns 'okay' instead of 'ok' for node status [#301788]
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29487
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29487
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4185)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4193.NASL
    description This kernel update brings the kernel to the one shipped with SLES 10 Service Pack 1 and also fixes the following security problems: - CVE-2007-2242: The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - CVE-2007-2453: The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. - CVE-2007-2876: A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. Since this value can only be changed by a root user, exploitability is low. - CVE-2007-3107: The signal handling in the Linux kernel, when run on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency. - CVE-2007-2525: Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized. - CVE-2007-3513: The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel did not limit the amount of memory used by a caller, which allowed local users to cause a denial of service (memory consumption). - CVE-2007-3851: On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. This kernel is not compatible to the previous SUSE Linux 10.1 kernel, so the Kernel Module Packages will need to be updated.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27296
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27296
    title SuSE Security Update: Kernel Update for SUSE Linux 10.1 (kernel-4193)
oval via4
accepted 2013-04-29T04:06:56.702-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.
family unix
id oval:org.mitre.oval:def:10594
status accepted
submitted 2010-07-09T03:56:16-04:00
title Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.
version 24
redhat via4
advisories
  • bugzilla
    id 241888
    title CVE-2007-2453 Slightly degraded pool mixing for entropy extraction
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376002
        • comment kernel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314003
      • AND
        • comment kernel-PAE is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376016
        • comment kernel-PAE is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314021
      • AND
        • comment kernel-PAE-devel is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376018
        • comment kernel-PAE-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314023
      • AND
        • comment kernel-devel is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376008
        • comment kernel-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314007
      • AND
        • comment kernel-doc is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376020
        • comment kernel-doc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314025
      • AND
        • comment kernel-headers is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376004
        • comment kernel-headers is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314005
      • AND
        • comment kernel-kdump is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376014
        • comment kernel-kdump is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314017
      • AND
        • comment kernel-kdump-devel is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376012
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314019
      • AND
        • comment kernel-xen is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376010
        • comment kernel-xen is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314011
      • AND
        • comment kernel-xen-devel is earlier than 0:2.6.18-8.1.6.el5
          oval oval:com.redhat.rhsa:tst:20070376006
        • comment kernel-xen-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20080314013
    rhsa
    id RHSA-2007:0376
    released 2007-06-14
    severity Important
    title RHSA-2007:0376: kernel security and bug fix update (Important)
  • rhsa
    id RHSA-2007:0488
rpms
  • kernel-0:2.6.18-8.1.6.el5
  • kernel-PAE-0:2.6.18-8.1.6.el5
  • kernel-PAE-devel-0:2.6.18-8.1.6.el5
  • kernel-devel-0:2.6.18-8.1.6.el5
  • kernel-doc-0:2.6.18-8.1.6.el5
  • kernel-headers-0:2.6.18-8.1.6.el5
  • kernel-kdump-0:2.6.18-8.1.6.el5
  • kernel-kdump-devel-0:2.6.18-8.1.6.el5
  • kernel-xen-0:2.6.18-8.1.6.el5
  • kernel-xen-devel-0:2.6.18-8.1.6.el5
  • kernel-0:2.6.9-55.0.2.EL
  • kernel-devel-0:2.6.9-55.0.2.EL
  • kernel-doc-0:2.6.9-55.0.2.EL
  • kernel-hugemem-0:2.6.9-55.0.2.EL
  • kernel-hugemem-devel-0:2.6.9-55.0.2.EL
  • kernel-largesmp-0:2.6.9-55.0.2.EL
  • kernel-largesmp-devel-0:2.6.9-55.0.2.EL
  • kernel-smp-0:2.6.9-55.0.2.EL
  • kernel-smp-devel-0:2.6.9-55.0.2.EL
  • kernel-xenU-0:2.6.9-55.0.2.EL
  • kernel-xenU-devel-0:2.6.9-55.0.2.EL
refmap via4
bid 23870
confirm
debian
  • DSA-1356
  • DSA-1503
  • DSA-1504
mandriva
  • MDKSA-2007:171
  • MDKSA-2007:196
  • MDKSA-2007:216
secunia
  • 25163
  • 25700
  • 25838
  • 26133
  • 26139
  • 26289
  • 26450
  • 26620
  • 26664
  • 27227
  • 29058
suse
  • SUSE-SA:2007:051
  • SUSE-SA:2007:053
ubuntu
  • USN-486-1
  • USN-489-1
  • USN-510-1
vupen ADV-2007-1703
xf kernel-pppoe-dos(34150)
Last major update 03-10-2011 - 00:00
Published 08-05-2007 - 19:19
Last modified 10-10-2017 - 21:32
Back to Top