Red Hat 9042 Published by

Red Hat has released an updated kernel for RHEL 4



=====================================================================
Red Hat Security Advisory

Synopsis: Important: kernel security and bug fix update
Advisory ID: RHSA-2010:0936-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0936.html
Issue date: 2010-12-01
CVE Names: CVE-2010-3432 CVE-2010-3442
=====================================================================

1. Summary:

Updated kernel packages that fix two security issues and multiple bugs are
now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

* A flaw in sctp_packet_config() in the Linux kernel's Stream Control
Transmission Protocol (SCTP) implementation could allow a remote attacker
to cause a denial of service. (CVE-2010-3432, Important)

* A missing integer overflow check in snd_ctl_new() in the Linux kernel's
sound subsystem could allow a local, unprivileged user on a 32-bit system
to cause a denial of service or escalate their privileges. (CVE-2010-3442,
Important)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442.

Bug fixes:

* Forward time drift was observed on virtual machines using PM
timer-based kernel tick accounting and running on KVM or the Microsoft
Hyper-V Server hypervisor. Virtual machines that were booted with the
divider=x kernel parameter set to a value greater than 1 and that showed
the following in the kernel boot messages were subject to this issue:

time.c: Using PM based timekeeping

Fine grained accounting for the PM timer is introduced which eliminates
this issue. However, this fix uncovered a bug in the Xen hypervisor,
possibly causing backward time drift. If this erratum is installed in Xen
HVM guests that meet the aforementioned conditions, it is recommended that
the host use kernel-xen-2.6.18-194.26.1.el5 or newer, which includes a fix
(BZ#641915) for the backward time drift. (BZ#629237)

* With multipath enabled, systems would occasionally halt when the
do_cciss_request function was used. This was caused by wrongly-generated
requests. Additional checks have been added to avoid the aforementioned
issue. (BZ#640193)

* A Sun X4200 system equipped with a QLogic HBA spontaneously rebooted and
logged a Hyper-Transport Sync Flood Error to the system event log. A
Maximum Memory Read Byte Count restriction was added to fix this bug.
(BZ#640919)

* For an active/backup bonding network interface with VLANs on top of it,
when a link failed over, it took a minute for the multicast domain to be
rejoined. This was caused by the driver not sending any IGMP join packets.
The driver now sends IGMP join packets and the multicast domain is rejoined
immediately. (BZ#641002)

* Replacing a disk and trying to rebuild it afterwards caused the system to
panic. When a domain validation request for a hot plugged drive was sent,
the mptscsi driver did not validate its existence. This could result in the
driver accessing random memory and causing the crash. A check has been
added that describes the newly-added device and reloads the iocPg3 data
from the firmware if needed. (BZ#641137)

* An attempt to create a VLAN interface on a bond of two bnx2 adapters in
two switch configurations resulted in a soft lockup after a few seconds.
This was caused by an incorrect use of a bonding pointer. With this update,
soft lockups no longer occur and creating a VLAN interface works as
expected. (BZ#641254)

* Erroneous pointer checks could have caused a kernel panic. This was due
to a critical value not being copied when a network buffer was duplicated
and consumed by multiple portions of the kernel's network stack. Fixing the
copy operation resolved this bug. (BZ#642746)

* A typo in a variable name caused it to be dereferenced in either mkdir()
or create() which could cause a kernel panic. (BZ#643342)

* SCSI high level drivers can submit SCSI commands which would never be
completed when the device was offline. This was caused by a missing
callback for the request to complete the given command. SCSI requests are
now terminated by calling their callback when a device is offline.
(BZ#644816)

* A kernel panic could have occurred on systems due to a recursive lock in
the 3c59x driver. Recursion is now avoided and this kernel panic no longer
occurs. (BZ#648407)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

5. Bugs fixed (http://bugzilla.redhat.com/):

629237 - time drift with VXTIME_PMTMR mode in case of early / short real ticks [rhel-4.8.z]
637675 - CVE-2010-3432 kernel: sctp: do not reset the packet during sctp_packet_config
638478 - CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new()
640193 - RHEL 4.8: With multipath enabled, system occasionally halts in do_cciss_request [rhel-4.8.z]
640919 - Work around HyperTransport Sync Flood Error on Sun X4200 with qla2xxx [rhel-4.8.z]
641002 - Bonded interface doesn't issue IGMP report (join) on slave interface during failover [rhel-4.8.z]
641137 - mptbase: panic with domain validation while rebuilding after the disk is replaced. [rhel-4.8.z]
641254 - [RHEL4.8.z] soft lockup on vlan with bonding in balance-alb mode [rhel-4.8.z]
642746 - RHEL4.8 panic in netif_receive_skb [rhel-4.8.z]
643342 - kernel: security: testing the wrong variable in create_by_name() [rhel-4.9] [rhel-4.8.z]
644816 - scsi_do_req() submitted commands (tape) never complete when device goes offline [rhel-4.8.z]
648407 - Kernel panic due to recursive lock in 3c59x driver. [rhel-4.8.z]

6. Package List:

Red Hat Enterprise Linux AS version 4:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-89.33.1.EL.src.rpm

i386:
kernel-2.6.9-89.33.1.EL.i686.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.i686.rpm
kernel-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.i686.rpm

ia64:
kernel-2.6.9-89.33.1.EL.ia64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.ia64.rpm
kernel-devel-2.6.9-89.33.1.EL.ia64.rpm
kernel-largesmp-2.6.9-89.33.1.EL.ia64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.ia64.rpm

noarch:
kernel-doc-2.6.9-89.33.1.EL.noarch.rpm

ppc:
kernel-2.6.9-89.33.1.EL.ppc64.rpm
kernel-2.6.9-89.33.1.EL.ppc64iseries.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.ppc64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.ppc64iseries.rpm
kernel-devel-2.6.9-89.33.1.EL.ppc64.rpm
kernel-devel-2.6.9-89.33.1.EL.ppc64iseries.rpm
kernel-largesmp-2.6.9-89.33.1.EL.ppc64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.ppc64.rpm

s390:
kernel-2.6.9-89.33.1.EL.s390.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.s390.rpm
kernel-devel-2.6.9-89.33.1.EL.s390.rpm

s390x:
kernel-2.6.9-89.33.1.EL.s390x.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.s390x.rpm
kernel-devel-2.6.9-89.33.1.EL.s390x.rpm

x86_64:
kernel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.x86_64.rpm
kernel-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-89.33.1.EL.src.rpm

i386:
kernel-2.6.9-89.33.1.EL.i686.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.i686.rpm
kernel-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.i686.rpm

noarch:
kernel-doc-2.6.9-89.33.1.EL.noarch.rpm

x86_64:
kernel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.x86_64.rpm
kernel-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-89.33.1.EL.src.rpm

i386:
kernel-2.6.9-89.33.1.EL.i686.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.i686.rpm
kernel-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.i686.rpm

ia64:
kernel-2.6.9-89.33.1.EL.ia64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.ia64.rpm
kernel-devel-2.6.9-89.33.1.EL.ia64.rpm
kernel-largesmp-2.6.9-89.33.1.EL.ia64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.ia64.rpm

noarch:
kernel-doc-2.6.9-89.33.1.EL.noarch.rpm

x86_64:
kernel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.x86_64.rpm
kernel-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-89.33.1.EL.src.rpm

i386:
kernel-2.6.9-89.33.1.EL.i686.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.i686.rpm
kernel-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-2.6.9-89.33.1.EL.i686.rpm
kernel-hugemem-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-2.6.9-89.33.1.EL.i686.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-2.6.9-89.33.1.EL.i686.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.i686.rpm

ia64:
kernel-2.6.9-89.33.1.EL.ia64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.ia64.rpm
kernel-devel-2.6.9-89.33.1.EL.ia64.rpm
kernel-largesmp-2.6.9-89.33.1.EL.ia64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.ia64.rpm

noarch:
kernel-doc-2.6.9-89.33.1.EL.noarch.rpm

x86_64:
kernel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-debuginfo-2.6.9-89.33.1.EL.x86_64.rpm
kernel-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-2.6.9-89.33.1.EL.x86_64.rpm
kernel-smp-devel-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-2.6.9-89.33.1.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-89.33.1.EL.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2010-3432.html
https://www.redhat.com/security/data/cve/CVE-2010-3442.html
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.