| Description: | Description:
The remote host is missing an update to kernel
announced via advisory MDVSA-2011:029.
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The X.25 implementation does not properly parse facilities, which
allows remote attackers to cause a denial of service (heap memory
corruption and panic) or possibly have
unspecified other impact via malformed data, a different vulnerability
than CVE-2010-4164. (CVE-2010-3873)
The bcm_connect function Broadcast Manager in the Controller Area
Network (CAN) implementation in the Linux creates a publicly accessible
file with a filename containing a kernel memory address, which allows
local users to obtain potentially sensitive information about kernel
memory use by listing this filename. (CVE-2010-4565)
The install_special_mapping function in mm/mmap.c does not make an
expected security_file_mmap function call, which allows local users
to bypass intended mmap_min_addr restrictions and possibly conduct
NULL pointer dereference attacks via a crafted assembly-language
application. (CVE-2010-4346)
The sk_run_filter function does not check whether a certain memory
location has been initialized before executing a BPF_S_LD_MEM
or BPF_S_LDX_MEM instruction, which allows local users to obtain
potentially sensitive information from kernel stack memory via a
crafted socket filter. (CVE-2010-4158)
Heap-based buffer overflow in the bcm_connect function the Broadcast
Manager in the Controller Area Network (CAN)on 64-bit platforms might
allow local users to cause a denial of service (memory corruption)
via a connect operation. (CVE-2010-3874)
The blk_rq_map_user_iov function in block/blk-map.c allows local
users to cause a denial of service (panic) via a zero-length I/O
request in a device ioctl to a SCSI device. (CVE-2010-4163)
Multiple integer underflows in the x25_parse_facilities function in
allow remote attackers to cause a denial of service (system crash)
via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3)
X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data. (CVE-2010-4164)
Race condition in the do_setlk function allows local users to cause a
denial of service (crash) via vectors resulting in an interrupted RPC
call that leads to a stray FL_POSIX lock, related to improper handling
of a race between fcntl and close in the EINTR case. (CVE-2009-4307)
Multiple integer overflows in fs/bio.c allow local users to cause
a denial of service (system crash) via a crafted device ioctl to a
SCSI device. (CVE-2010-4162)
Integer overflow in the ext4_ext_get_blocks function in
fs/ext4/extents.c allows local users to cause a denial of service
(BUG and system crash) via a write operation on the last block of a
large file, followed by a sync operation. (CVE-2010-3015)
The do_exit function in kernel/exit.c does not properly handle a
KERNEL_DS get_fs value, which allows local users to bypass intended
access_ok restrictions, overwrite arbitrary kernel memory locations,
and gain privileges by leveraging a (1) BUG, (2) NULL pointer
dereference, or (3) page fault, as demonstrated by vectors involving
the clear_child_tid feature and the splice system call. (CVE-2010-4258)
The ax25_getname function in net/ax25/af_ax25.c does not initialize
a certain structure, which allows local users to obtain potentially
sensitive information from kernel stack memory by reading a copy of
this structure. (CVE-2010-3875)
Integer overflow in the do_io_submit function in fs/aio.c allows local
users to cause a denial of service or possibly have unspecified other
impact via crafted use of the io_submit system call. (CVE-2010-3067)
Race condition in the __exit_signal function in kernel/exit.c
allows local users to cause a denial of service via vectors
related to multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group
leader in the de_thread function in fs/exec.c. (CVE-2010-4248)
Integer signedness error in the pkt_find_dev_from_minor function
in drivers/block/pktcdvd.c allows local users to obtain sensitive
information from kernel memory or cause a denial of service (invalid
pointer dereference and system crash) via a crafted index value in
a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437)
The get_name function in net/tipc/socket.c does not initialize a
certain structure, which allows local users to obtain potentially
sensitive information from kernel stack memory by reading a copy of
this structure. (CVE-2010-3877)
Stack-based buffer overflow in the parse_tag_11_packet function
in fs/ecryptfs/keystore.c in the eCryptfs subsystem allows local
users to cause a denial of service (system crash) or possibly gain
privileges via vectors involving a crafted eCryptfs file, related
to not ensuring that the key signature length in a Tag 11 packet is
compatible with the key signature buffer size. (CVE-2009-2406)
Multiple integer signedness errors in the TIPC implementation allow
local users to gain privileges via a crafted sendmsg call that
triggers a heap-based buffer overflow, related to the tipc_msg_build
function in net/tipc/msg.c and the verify_iovec function in
net/core/iovec.c. (CVE-2010-3859)
The ipc subsystem does not initialize certain structures, which allows
local users to obtain potentially sensitive information from kernel
stack memory via vectors related to the (1) compat_sys_semctl, (2)
compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c
and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr
functions in ipc/compat_mq.c. (CVE-2010-4073)
The copy_shmid_to_user function does not initialize a certain
structure, which allows local users to obtain potentially sensitive
information from kernel stack memory via vectors related to the shmctl
system call and the old shm interface. (CVE-2010-4072)
The sctp_auth_asoc_get_hmac function in net/sctp/auth.c does not
properly validate the hmac_ids array of an SCTP peer, which allows
remote attackers to cause a denial of service (memory corruption
and panic) via a crafted value in the last element of this
array. (CVE-2010-3705)
The do_tcp_setsockopt function in net/ipv4/tcp.c does not properly
restrict TCP_MAXSEG (aka MSS) values, which allows local users to
cause a denial of service (OOPS) via a setsockopt call that specifies
a small value, leading to a divide-by-zero error or incorrect use of
a signed integer. (CVE-2010-4165)
Multiple integer signedness errors in net/rose/af_rose.c allow local
users to cause a denial of service (heap memory corruption) or possibly
have unspecified other impact via a rose_getname function call,
related to the rose_bind and rose_connect functions. (CVE-2010-3310)
The KVM implementation does not properly reload the FS and GS segment
registers, which allows host OS users to cause a denial of service
(host OS crash) via a KVM_RUN ioctl call in conjunction with a modified
Local Descriptor Table (LDT). (CVE-2010-3698)
This update disable the iommu hardware in order to avoid crash with
some DELL servers (R510, R710,...)
To update your kernel, please follow the directions located at:
http://www.mandriva.com/en/security/kernelupdate
Affected: Enterprise Server 5.0
Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2011:029
Risk factor : Critical
CVSS Score:
8.3
|
