ID CVE-2007-3848
Summary Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
References
Vulnerable Configurations
  • Linux Kernel 2.4.35
    cpe:2.3:o:linux:linux_kernel:2.4.35
CVSS
Base: 1.9 (as of 14-08-2007 - 14:41)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4929.NASL
    description This kernel update fixes the following security problems : CVE-2008-0007: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory. CVE-2008-0001: Incorrect access mode checks could be used by local attackers to corrupt directory contents and so cause denial of service attacks or potentially execute code. CVE-2007-5966: Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third-party information. CVE-2007-3843: The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. CVE-2007-2242: The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. CVE-2007-6417: The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances, which might allow local users to read sensitive kernel data or cause a denial of service (crash). CVE-2007-4308: The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid in the Linux kernel did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. CVE-2007-3848: The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). CVE-2007-4997: Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel allowed remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an 'off-by-two error.' CVE-2007-6063: Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. CVE-none-yet: A failed change_hat call can result in an apparmored task becoming unconfined (326546). and the following non security bugs : - patches.suse/apparmor-r206-310260.diff: AppArmor - add audit capability names (310260). - patches.suse/apparmor-r326-240982.diff: AppArmor - fix memory corruption if policy load fails (240982). - patches.suse/apparmor-r400-221567.diff: AppArmor - kernel dead locks when audit back log occurs (221567). - patches.suse/apparmor-r405-247679.diff: AppArmor - apparmor fails to log link reject in complain mode (247679). - patches.suse/apparmor-r473-326556.diff: AppArmor - fix race on ambiguous deleted file name (326556). - patches.suse/apparmor-r479-257748.diff: AppArmor - fix kernel crash that can occur on profile removal (257748). - patches.fixes/usb_unusual_292931.diff: add quirk needed for 1652:6600 (292931). - patches.drivers/r8169-perform-a-PHY-reset-before.patch: r8169: perform a PHY reset before any other operation at boot time (345658). - patches.drivers/r8169-more-alignment-for-the-0x8168: refresh. - patches.fixes/usb_336850.diff: fix missing quirk leading to a device disconnecting under load (336850). - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. (#341894)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 30142
    published 2008-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30142
    title openSUSE 10 Security Update : kernel (kernel-4929)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-1785.NASL
    description Update to kernel 2.6.22.2, 2.6.22.3 and 2.6.22.4: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.2 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.3 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.4 - Fix failure to find serial ports on some machines. - Detect broken timers on some AMD dual-core machines: fixes hangs and failure to boot. - Don't crash when a userspace driver requests too much memory. - Update the CFS scheduler to more closely match upstream. - Wireless driver update. - Enable ACPI_DEBUG in -debug builds. - Fix e820 memory hole sizing on x86_64. - Add four bugfixes for sky2 ethernet. - Fix some SCSI async scanning bugs. - Fix polling in r8169 driver. - Fix wrong sensor values with some chips. CVE-2007-3848: Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 27734
    published 2007-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27734
    title Fedora 7 : kernel-2.6.22.4-65.fc7 (2007-1785)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-509-1.NASL
    description A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28113
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28113
    title Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-509-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071203_KERNEL_ON_SL3.NASL
    description A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : - a bug in the TCP header prediction code may have caused 'TCP: Treason uncloaked!' messages to be logged. In certain situations this may have lead to TCP connections hanging or aborting.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60321
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60321
    title Scientific Linux Security Update : kernel on SL3.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0940.NASL
    description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 27565
    published 2007-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27565
    title RHEL 5 : kernel (RHSA-2007:0940)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-510-1.NASL
    description A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) Zhongling Wen discovered that the h323 conntrack handler did not correctly handle certain bitfields. A remote attacker could send a specially crafted packet and cause a denial of service. (CVE-2007-3642) A flaw was discovered in the CIFS mount security checking. Remote attackers could spoof CIFS network traffic, which could lead a client to trust the connection. (CVE-2007-3843) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28114
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28114
    title Ubuntu 7.04 : linux-source-2.6.20 vulnerabilities (USN-510-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0001.NASL
    description Updated kernel packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 running on 32-bit architectures. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the IPv4 forwarding base. This could allow a local, unprivileged user to cause a denial of service. (CVE-2007-2172, Important) * a flaw was found in the handling of process death signals. This allowed a local, unprivileged user to send arbitrary signals to the suid-process executed by that user. Successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local, unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a denial of service. (CVE-2008-0007, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local, unprivileged user to bypass intended capability restrictions. (CVE-2008-3525, Important) * a flaw was found in the way files were written using truncate() or ftruncate(). This could allow a local, unprivileged user to acquire the privileges of a different group and obtain access to sensitive information. (CVE-2008-4210, Important) * a race condition in the mincore system core allowed a local, unprivileged user to cause a denial of service. (CVE-2006-4814, Moderate) * a flaw was found in the aacraid SCSI driver. This allowed a local, unprivileged user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * two buffer overflow flaws were found in the Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) * a flaw was found in the way core dump files were created. If a local, unprivileged user could make a root-owned process dump a core file into a user-writable directory, the user could gain read access to that core file, potentially compromising sensitive information. (CVE-2007-6206, Moderate) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) All users of Red Hat Enterprise Linux 2.1 on 32-bit architectures should upgrade to these updated packages which address these vulnerabilities. For this update to take effect, the system must be rebooted.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 35323
    published 2009-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35323
    title RHEL 2.1 : kernel (RHSA-2009:0001)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1504.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process' umask which may lead to unintentionally relaxed permissions. - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. - CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. - CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. - CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 3.1 (sarge) kernel-image-2.6.8-alpha 2.6.8-17sarge1 kernel-image-2.6.8-amd64 2.6.8-17sarge1 kernel-image-2.6.8-hppa 2.6.8-7sarge1 kernel-image-2.6.8-i386 2.6.8-17sarge1 kernel-image-2.6.8-ia64 2.6.8-15sarge1 kernel-image-2.6.8-m68k 2.6.8-5sarge1 kernel-image-2.6.8-s390 2.6.8-6sarge1 kernel-image-2.6.8-sparc 2.6.8-16sarge1 kernel-patch-powerpc-2.6.8 2.6.8-13sarge1 fai-kernels 1.9.1sarge8
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 31148
    published 2008-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31148
    title Debian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1503.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-2731 infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. - CVE-2006-4814 Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. - CVE-2006-5753 Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6053 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6106 Marcel Holtman discovered multiple buffer overflows in the Bluetooth subsystem which can be used to trigger a remote DoS (crash) and potentially execute arbitrary code. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-1592 Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops). - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. - CVE-2007-4311 PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. - CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 3.1 (sarge) alsa-modules-i386 1.0.8+2sarge2 kernel-image-2.4.27-arm 2.4.27-2sarge6 kernel-image-2.4.27-m68k 2.4.27-3sarge6 kernel-image-speakup-i386 2.4.27-1.1sarge5 kernel-image-2.4.27-alpha 2.4.27-10sarge6 kernel-image-2.4.27-s390 2.4.27-2sarge6 kernel-image-2.4.27-sparc 2.4.27-9sarge6 kernel-image-2.4.27-i386 2.4.27-10sarge6 kernel-image-2.4.27-ia64 2.4.27-10sarge6 kernel-patch-2.4.27-mips 2.4.27-10.sarge4.040815-3 kernel-patch-powerpc-2.4.27 2.4.27-10sarge6 kernel-latest-2.4-alpha 101sarge3 kernel-latest-2.4-i386 101sarge2 kernel-latest-2.4-s390 2.4.27-1sarge2 kernel-latest-2.4-sparc 42sarge3 i2c 1:2.9.1-1sarge2 lm-sensors 1:2.9.1-1sarge4 mindi-kernel 2.4.27-2sarge5 pcmcia-modules-2.4.27-i386 3.2.5+2sarge2 hostap-modules-i386 1:0.3.7-1sarge3 systemimager 3.2.3-6sarge5
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 31147
    published 2008-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31147
    title Debian DSA-1503-1 : kernel-source-2.4.27 - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4186.NASL
    description This kernel update fixes the following security problems : - The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. (CVE-2007-2242) The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. (CVE-2007-2453) - A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. (CVE-2007-2876) - Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. (CVE-2007-3105) Since this value can only be changed by a root user, exploitability is low. - The signal handling in the Linux kernel, when run on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency. (CVE-2007-3107) - Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized. (CVE-2007-2525) - The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel did not limit the amount of memory used by a caller, which allowed local users to cause a denial of service (memory consumption). (CVE-2007-3513) - A local attacker could send a death signal to a setuid root program under certain conditions, potentially causing unwanted behaviour in this program. (CVE-2007-3848) - On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. (CVE-2007-3851) - Fixed a denial of service possibility where a local attacker with access to a pwc camera device could hang the USB subsystem. [#302194] and the following non security bugs : - patches.arch/ppc-oprofile-970mp.patch: enable ppc64/970 MP, requires oprofile 0.9.3 [#252696] - patches.arch/x86_64-no-tsc-with-C3: don't use TSC on x86_64 Intel systems when CPU has C3 [#254061] - patches.arch/x86_64-hpet-lost-interrupts-fix.patch: backport x86_64 hpet lost interrupts code [#257035] - patches.fixes/fusion-nat-consumption-fix: handle a potential race in mptbase. This fixes a NaT consumption crash [#257412] - patches.arch/ia64-skip-clock-calibration: enabled [#259501] - patches.fixes/md-raid1-handle-read-error: Correctly handle read errors from a failed drive in raid1 [#261459] - patches.arch/ia64-fix-kdump-on-init: kdump on INIT needs multi-nodes sync-up (v.2) [#265764] - patches.arch/ia64-perfmon-fix-2: race condition between pfm_context_create and pfm_read [#268131] - patches.fixes/cpufreq_ppc_boot_option.patch: workaround for _PPC (BIOS cpufreq limitations) [#269579] - patches.arch/acpi_package_object_support.patch: ACPI package object as method parameter support (in AML) [#270956] - patches.fixes/ia64_cpufreq_PDC.patch: correctly assign as cpufreq capable driver (_PDC) to BIOS [#270973] - patches.arch/ia64-kdump-hpzx1-ioc-workaround: update to latest upstream version of the patch [#271158] - patches.suse/delayacct_memleak.patch: Fix delayacct memory leak [#271187] - patches.fixes/fc_transport-check-portstate-before-scan: check FC portstates before invoking target scan [#271338] - patches.fixes/unusual14cd.patch: quirk for 14cd:6600 [#274087] - patches.fixes/reiserfs-change_generation_on_update_sd.di ff: fix assertion failure in reiserfs [#274288] - patches.drivers/d-link-dge-530t-should-use-the-skge-driv er.patch: D-Link DGE-530T should use the skge driver [#275376] - patches.arch/ia64-dont-unwind-running-tasks.patch: Only unwind non-running tasks [#275854] - patches.fixes/dm-mpath-rdac-avt-support: short circuit RDAC hardware handler in AVT mode [#277834] - patches.fixes/lkcd-re-enable-valid_phys_addr_range: re-enable the valid_phys_addr_range() check [#279433] - patches.drivers/cciss-panic-on-reboot: when root filesystem is xfs the server cannot do a second reboot [#279436] Also resolves same issue in [#291759]. - patches.drivers/ide-hpt366-fix-302n-oops: fix hpt302n oops [#279705] - patches.fixes/serial-8250-backup-timer-2-deadlock-fix: fix possible deadlock [#280771] - patches.fixes/nfs-osync-error-return: ensure proper error return from O_SYNC writes [#280833] - patches.fixes/acpi_pci_hotplug_poweroff.patch: ACPI PCI hotplug driver acpiphp unable to power off PCI slot [#281234] - patches.drivers/pci-hotplug-acpiphp-remove-hot-plug-para meter-write-to-pci-host-bridge.patch: remove hot plug parameter write to PCI host bridge [#281239] - patches.fixes/scsi-set-correct-resid: Incorrect 'resid' field values when using a tape device [#281640] - patches.drivers/usb-edgeport-epic-support.patch: USB: add EPIC support to the io_edgeport driver [#281921] - patches.fixes/usb-hid-ncr-no-init-reports.patch: HID: Don't initialize reports for NCR devices [#281921] - patches.drivers/ppc-power6-ehea.patch: use decimal values in sysfs propery logical_port_id, fix panic when adding / removing logical eHEA ports [#283070] - patches.arch/ppc-power6-ebus.patch: DLPAR Adapter add/remove functionality for eHEA [#283239] - patches.fixes/nfs-enospc: Return ENOSPC and EDQUOT to NFS write requests more promptly [#284042] - patches.drivers/pci-hotplug-acpiphp-avoid-acpiphp-cannot -get-bridge-info-pci-hotplug-failure.patch: PCI: hotplug: acpiphp: avoid acpiphp 'cannot get bridge info' PCI hotplug failure [#286193] - patches.drivers/lpfc-8.1.10.9-update: lpfc update to 8.1.10.9 [#286223] - patches.fixes/make-swappiness-safer-to-use.patch: Handle low swappiness gracefully [#288799] - patches.arch/ppc-oprofile-power5plusplus.patch: oprofile support for Power 5++ [#289223] - patches.drivers/ppc-power6-ehea.patch: Fixed possible kernel panic on VLAN packet recv [#289301] - patches.fixes/igrab_should_check_for_i_clear.patch: igrab() should check for I_CLEAR [#289576] - patches.fixes/wait_for_sysfs_population.diff: Driver core: bus device event delay [#289964] - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-better: better throttling of SG_DXFER_TO_FROM_DEV warning messages [#290117] - patches.arch/mark-unwind-info-for-signal-trampolines-in- vdsos.patch: Mark unwind info for signal trampolines in vDSOs [#291421] - patches.fixes/hugetlbfs-stack-grows-fix.patch: don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.drivers/alsa-post-sp1-hda-analog-update: add support of of missing AD codecs [#294471] - patches.drivers/alsa-post-sp1-hda-conexant-fixes: fix unterminated arrays [#294480] - patches.fixes/fix_hpet_init_race.patch: fix a race in HPET initialization on x86_64 resulting in a lockup on boot [#295115] - patches.drivers/alsa-post-sp1-hda-sigmatel-pin-fix: Fix number of pin widgets with STAC codecs [#295653] - patches.fixes/pci-pcieport-driver-remove-invalid-warning -message.patch: PCI: pcieport-driver: remove invalid warning message [#297135] [#298561] - patches.kernel.org/patch-2.6.16.NN-$((NN+1)), NN = 18,...,52: update to Kernel 2.6.16.53; lots of bugfixes [#298719] [#186582] [#186583] [#186584] - patches.fixes/ocfs2-1.2-svn-r3027.diff: proactive patch [#298845] - patches.drivers/b44-phy-fix: Fix frequent PHY resets under load on b44 [#301653] - dd patches.arch/ppc-eeh-node-status-okay.patch firmware returns 'okay' instead of 'ok' for node status [#301788]
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 59123
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59123
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4186)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0940.NASL
    description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43654
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43654
    title CentOS 5 : kernel (CESA-2007:0940)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1356.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2453 A couple of issues with random number generation were discovered. Slightly less random numbers resulted from hashing a subset of the available entropy. Zero-entropy systems were seeded with the same inputs at boot time, resulting in repeatable series of random numbers. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-2876 Vilmos Nebehaj discovered a NULL pointer dereference condition in the netfilter subsystem. This allows remote systems which communicate using the SCTP protocol to crash a system by creating a connection with an unknown chunk type. - CVE-2007-3513 Oliver Neukum reported an issue in the usblcd driver which, by not limiting the size of write buffers, permits local users with write access to trigger a DoS by consuming all available memory. - CVE-2007-3642 Zhongling Wen reported an issue in nf_conntrack_h323 where the lack of range checking may lead to NULL pointer dereferences. Remote attackers could exploit this to create a DoS condition (system crash). - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-3851 Dave Airlie reported that Intel 965 and above chipsets have relocated their batch buffer security bits. Local X server users may exploit this to write user data to arbitrary physical memory addresses. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch1. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch4 user-mode-linux 2.6.18-1um-2etch3
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25909
    published 2007-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25909
    title Debian DSA-1356-1 : linux-2.6 - several vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0939.NASL
    description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : * A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. * A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information. * A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor. Please see the Red Hat Knowledgebase for more detailed information. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37953
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37953
    title CentOS 4 : kernel (CESA-2007:0939)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-1049.NASL
    description From Red Hat Security Advisory 2007:1049 : Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : * a bug in the TCP header prediction code may have caused 'TCP: Treason uncloaked!' messages to be logged. In certain situations this may have lead to TCP connections hanging or aborting. Red Hat Enterprise Linux 3 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67609
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67609
    title Oracle Linux 3 : kernel (ELSA-2007-1049)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-195.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : A stack-based buffer overflow in the random number generator could allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size (CVE-2007-3105). The lcd_write function did not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption) (CVE-2007-3513). The decode_choice function allowed remote attackers to cause a denial of service (crash) via an encoded out-of-range index value for a choice field which triggered a NULL pointer dereference (CVE-2007-3642). The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die which delivered an attacker-controlled parent process death signal (PR_SET_PDEATHSIG) (CVE-2007-3848). The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer ioctl patch in aacraid did not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges (CVE-2007-4308). The IA32 system call emulation functionality, when running on the x86_64 architecture, did not zero extend the eax register after the 32bit entry path to ptrace is used, which could allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register (CVE-2007-4573). In addition to these security fixes, other fixes have been included such as : - More NVidia PCI ids wre added - The 3w-9xxx module was updated to version 2.26.02.010 - Fixed the map entry for ICH8 - Added the TG3 5786 PCI id - Reduced the log verbosity of cx88-mpeg To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 27561
    published 2007-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27561
    title Mandrake Linux Security Advisory : kernel (MDKSA-2007:195)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0940.NASL
    description From Red Hat Security Advisory 2007:0940 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67581
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67581
    title Oracle Linux 5 : kernel (ELSA-2007-0940)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0939.NASL
    description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : * A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. * A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information. * A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor. Please see the Red Hat Knowledgebase for more detailed information. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 27616
    published 2007-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27616
    title RHEL 4 : kernel (RHSA-2007:0939)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0939.NASL
    description From Red Hat Security Advisory 2007:0939 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : * A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. * A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information. * A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor. Please see the Red Hat Knowledgebase for more detailed information. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67580
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67580
    title Oracle Linux 4 : kernel (ELSA-2007-0939)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071022_KERNEL_ON_SL5_X.NASL
    description These new kernel packages contain fixes for the following security issues : - A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) - A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) - A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) - A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) - A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60272
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60272
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-508-1.NASL
    description A buffer overflow was discovered in the Moxa serial driver. Local attackers could execute arbitrary code and gain root privileges. (CVE-2005-0504) A flaw was discovered in the IPv6 stack's handling of type 0 route headers. By sending a specially crafted IPv6 packet, a remote attacker could cause a denial of service between two IPv6 hosts. (CVE-2007-2242) A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28112
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28112
    title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerabilities (USN-508-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071101_KERNEL_ON_SL4_X.NASL
    description - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) - A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) - A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) - A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) - A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) - A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : - A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. - A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. - A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Scientific Linux 5.1 hypervisor. The fix is to allow your Scientific Linux 4 Xen SMP guests to boot under a 5.1 hypervisor.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60280
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60280
    title Scientific Linux Security Update : kernel on SL4.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4185.NASL
    description This kernel update fixes the following security problems : - The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. (CVE-2007-2242) The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. (CVE-2007-2453) - A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. (CVE-2007-2876) - Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. (CVE-2007-3105) Since this value can only be changed by a root user, exploitability is low. - The signal handling in the Linux kernel, when run on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency. (CVE-2007-3107) - Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized. (CVE-2007-2525) - The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel did not limit the amount of memory used by a caller, which allowed local users to cause a denial of service (memory consumption). (CVE-2007-3513) - A local attacker could send a death signal to a setuid root program under certain conditions, potentially causing unwanted behaviour in this program. (CVE-2007-3848) - On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. (CVE-2007-3851) - Fixed a denial of service possibility where a local attacker with access to a pwc camera device could hang the USB subsystem. [#302194] and the following non security bugs : - patches.arch/ppc-oprofile-970mp.patch: enable ppc64/970 MP, requires oprofile 0.9.3 [#252696] - patches.arch/x86_64-no-tsc-with-C3: don't use TSC on x86_64 Intel systems when CPU has C3 [#254061] - patches.arch/x86_64-hpet-lost-interrupts-fix.patch: backport x86_64 hpet lost interrupts code [#257035] - patches.fixes/fusion-nat-consumption-fix: handle a potential race in mptbase. This fixes a NaT consumption crash [#257412] - patches.arch/ia64-skip-clock-calibration: enabled [#259501] - patches.fixes/md-raid1-handle-read-error: Correctly handle read errors from a failed drive in raid1 [#261459] - patches.arch/ia64-fix-kdump-on-init: kdump on INIT needs multi-nodes sync-up (v.2) [#265764] - patches.arch/ia64-perfmon-fix-2: race condition between pfm_context_create and pfm_read [#268131] - patches.fixes/cpufreq_ppc_boot_option.patch: workaround for _PPC (BIOS cpufreq limitations) [#269579] - patches.arch/acpi_package_object_support.patch: ACPI package object as method parameter support (in AML) [#270956] - patches.fixes/ia64_cpufreq_PDC.patch: correctly assign as cpufreq capable driver (_PDC) to BIOS [#270973] - patches.arch/ia64-kdump-hpzx1-ioc-workaround: update to latest upstream version of the patch [#271158] - patches.suse/delayacct_memleak.patch: Fix delayacct memory leak [#271187] - patches.fixes/fc_transport-check-portstate-before-scan: check FC portstates before invoking target scan [#271338] - patches.fixes/unusual14cd.patch: quirk for 14cd:6600 [#274087] - patches.fixes/reiserfs-change_generation_on_update_sd.di ff: fix assertion failure in reiserfs [#274288] - patches.drivers/d-link-dge-530t-should-use-the-skge-driv er.patch: D-Link DGE-530T should use the skge driver [#275376] - patches.arch/ia64-dont-unwind-running-tasks.patch: Only unwind non-running tasks [#275854] - patches.fixes/dm-mpath-rdac-avt-support: short circuit RDAC hardware handler in AVT mode [#277834] - patches.fixes/lkcd-re-enable-valid_phys_addr_range: re-enable the valid_phys_addr_range() check [#279433] - patches.drivers/cciss-panic-on-reboot: when root filesystem is xfs the server cannot do a second reboot [#279436] Also resolves same issue in [#291759]. - patches.drivers/ide-hpt366-fix-302n-oops: fix hpt302n oops [#279705] - patches.fixes/serial-8250-backup-timer-2-deadlock-fix: fix possible deadlock [#280771] - patches.fixes/nfs-osync-error-return: ensure proper error return from O_SYNC writes [#280833] - patches.fixes/acpi_pci_hotplug_poweroff.patch: ACPI PCI hotplug driver acpiphp unable to power off PCI slot [#281234] - patches.drivers/pci-hotplug-acpiphp-remove-hot-plug-para meter-write-to-pci-host-bridge.patch: remove hot plug parameter write to PCI host bridge [#281239] - patches.fixes/scsi-set-correct-resid: Incorrect 'resid' field values when using a tape device [#281640] - patches.drivers/usb-edgeport-epic-support.patch: USB: add EPIC support to the io_edgeport driver [#281921] - patches.fixes/usb-hid-ncr-no-init-reports.patch: HID: Don't initialize reports for NCR devices [#281921] - patches.drivers/ppc-power6-ehea.patch: use decimal values in sysfs propery logical_port_id, fix panic when adding / removing logical eHEA ports [#283070] - patches.arch/ppc-power6-ebus.patch: DLPAR Adapter add/remove functionality for eHEA [#283239] - patches.fixes/nfs-enospc: Return ENOSPC and EDQUOT to NFS write requests more promptly [#284042] - patches.drivers/pci-hotplug-acpiphp-avoid-acpiphp-cannot -get-bridge-info-pci-hotplug-failure.patch: PCI: hotplug: acpiphp: avoid acpiphp 'cannot get bridge info' PCI hotplug failure [#286193] - patches.drivers/lpfc-8.1.10.9-update: lpfc update to 8.1.10.9 [#286223] - patches.fixes/make-swappiness-safer-to-use.patch: Handle low swappiness gracefully [#288799] - patches.arch/ppc-oprofile-power5plusplus.patch: oprofile support for Power 5++ [#289223] - patches.drivers/ppc-power6-ehea.patch: Fixed possible kernel panic on VLAN packet recv [#289301] - patches.fixes/igrab_should_check_for_i_clear.patch: igrab() should check for I_CLEAR [#289576] - patches.fixes/wait_for_sysfs_population.diff: Driver core: bus device event delay [#289964] - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-better: better throttling of SG_DXFER_TO_FROM_DEV warning messages [#290117] - patches.arch/mark-unwind-info-for-signal-trampolines-in- vdsos.patch: Mark unwind info for signal trampolines in vDSOs [#291421] - patches.fixes/hugetlbfs-stack-grows-fix.patch: don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.drivers/alsa-post-sp1-hda-analog-update: add support of of missing AD codecs [#294471] - patches.drivers/alsa-post-sp1-hda-conexant-fixes: fix unterminated arrays [#294480] - patches.fixes/fix_hpet_init_race.patch: fix a race in HPET initialization on x86_64 resulting in a lockup on boot [#295115] - patches.drivers/alsa-post-sp1-hda-sigmatel-pin-fix: Fix number of pin widgets with STAC codecs [#295653] - patches.fixes/pci-pcieport-driver-remove-invalid-warning -message.patch: PCI: pcieport-driver: remove invalid warning message [#297135] [#298561] - patches.kernel.org/patch-2.6.16.NN-$((NN+1)), NN = 18,...,52: update to Kernel 2.6.16.53; lots of bugfixes [#298719] [#186582] [#186583] [#186584] - patches.fixes/ocfs2-1.2-svn-r3027.diff: proactive patch [#298845] - patches.drivers/b44-phy-fix: Fix frequent PHY resets under load on b44 [#301653] - dd patches.arch/ppc-eeh-node-status-okay.patch firmware returns 'okay' instead of 'ok' for node status [#301788]
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29487
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29487
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4185)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1049.NASL
    description Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : * a bug in the TCP header prediction code may have caused 'TCP: Treason uncloaked!' messages to be logged. In certain situations this may have lead to TCP connections hanging or aborting. Red Hat Enterprise Linux 3 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 29203
    published 2007-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29203
    title RHEL 3 : kernel (RHSA-2007:1049)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-1049.NASL
    description Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : * a bug in the TCP header prediction code may have caused 'TCP: Treason uncloaked!' messages to be logged. In certain situations this may have lead to TCP connections hanging or aborting. Red Hat Enterprise Linux 3 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29190
    published 2007-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29190
    title CentOS 3 : kernel (CESA-2007:1049)
oval via4
accepted 2013-04-29T04:01:54.984-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
family unix
id oval:org.mitre.oval:def:10120
status accepted
submitted 2010-07-09T03:56:16-04:00
title Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2007:0939
  • rhsa
    id RHSA-2007:0940
  • rhsa
    id RHSA-2007:1049
  • rhsa
    id RHSA-2008:0787
rpms
  • kernel-0:2.6.9-55.0.12.EL
  • kernel-devel-0:2.6.9-55.0.12.EL
  • kernel-doc-0:2.6.9-55.0.12.EL
  • kernel-hugemem-0:2.6.9-55.0.12.EL
  • kernel-hugemem-devel-0:2.6.9-55.0.12.EL
  • kernel-largesmp-0:2.6.9-55.0.12.EL
  • kernel-largesmp-devel-0:2.6.9-55.0.12.EL
  • kernel-smp-0:2.6.9-55.0.12.EL
  • kernel-smp-devel-0:2.6.9-55.0.12.EL
  • kernel-xenU-0:2.6.9-55.0.12.EL
  • kernel-xenU-devel-0:2.6.9-55.0.12.EL
  • kernel-0:2.6.18-8.1.15.el5
  • kernel-PAE-0:2.6.18-8.1.15.el5
  • kernel-PAE-devel-0:2.6.18-8.1.15.el5
  • kernel-devel-0:2.6.18-8.1.15.el5
  • kernel-doc-0:2.6.18-8.1.15.el5
  • kernel-headers-0:2.6.18-8.1.15.el5
  • kernel-kdump-0:2.6.18-8.1.15.el5
  • kernel-kdump-devel-0:2.6.18-8.1.15.el5
  • kernel-xen-0:2.6.18-8.1.15.el5
  • kernel-xen-devel-0:2.6.18-8.1.15.el5
  • kernel-0:2.4.21-53.EL
  • kernel-BOOT-0:2.4.21-53.EL
  • kernel-doc-0:2.4.21-53.EL
  • kernel-hugemem-0:2.4.21-53.EL
  • kernel-hugemem-unsupported-0:2.4.21-53.EL
  • kernel-smp-0:2.4.21-53.EL
  • kernel-smp-unsupported-0:2.4.21-53.EL
  • kernel-source-0:2.4.21-53.EL
  • kernel-unsupported-0:2.4.21-53.EL
refmap via4
bid 25387
bugtraq
  • 20070814 COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
  • 20070814 COSEINC Linux Advisory #1: Linux Kernel Parent Process DeathSignal Vulnerability
  • 20070814 Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
  • 20070815 Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
  • 20070816 Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
confirm
debian
  • DSA-1356
  • DSA-1503
  • DSA-1504
mandriva
  • MDKSA-2007:195
  • MDKSA-2007:196
misc http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3848
mlist [openwall-announce] 20070814 Linux 2.4.35-ow2
secunia
  • 26450
  • 26500
  • 26643
  • 26651
  • 26664
  • 27212
  • 27227
  • 27322
  • 27436
  • 27747
  • 27913
  • 28806
  • 29058
  • 29570
  • 33280
suse
  • SUSE-SA:2007:053
  • SUSE-SA:2008:006
  • SUSE-SA:2008:017
ubuntu
  • USN-508-1
  • USN-509-1
  • USN-510-1
Last major update 21-08-2010 - 01:08
Published 14-08-2007 - 13:17
Last modified 15-10-2018 - 17:31
Back to Top