BLAG

BLAG Forums
It is currently Fri Dec 19, 2014 10:45 pm

All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Fri Mar 17, 2006 5:54 pm 
Offline

Joined: Sun Mar 14, 2004 4:39 pm
Posts: 220
Location: xerta, espa├▒a
---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated kernel packages fix security issues
Advisory ID: FLSA:157459-4
Issue date: 2006-03-16
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2002-2185 CVE-2005-2709 CVE-2005-3044
CVE-2005-3274 CVE-2005-3356 CVE-2005-3358
CVE-2005-3527 CVE-2005-3784 CVE-2005-3805
CVE-2005-3806 CVE-2005-3807 CVE-2005-3857
CVE-2005-4605 CVE-2006-0095 CVE-2006-0454
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated kernel packages that fix several security issues are now
available.

The Linux kernel handles the basic functions of the operating system.

2. Relevant releases/architectures:

Fedora Core 3 - i386, x86_64

3. Problem description:

These new kernel packages contain fixes for the security issues
described below:

- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)

- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)

- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)

- a race condition in ip_vs_conn_flush that allowed a local user to
cause a denial of service (CVE-2005-3274)

- a flaw in mq_open system call that allowed a local user to cause a
denial of service (crash) (CVE-2005-3356)

- a flaw in set_mempolicy that allowed a local user on some 64-bit
architectures to cause a denial of service (crash) (CVE-2005-3358)

- a race condition in do_coredump in signal.c that allowed a local user
to cause a denial of service (crash) (CVE-2005-3527)

- a flaw in the auto-reap of child processes that allowed a local user
to cause a denial of service (crash) (CVE-2005-3784)

- a flaw in the POSIX timer cleanup handling that allowed a local user
to cause a denial of service (crash) (CVE-2005-3805)

- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)

- a memory leak in the VFS file lease handling that allowed a local user
to cause a denial of service (CVE-2005-3807)

- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)

- a flaw in procfs handling that allowed a local user to read kernel
memory (CVE-2005-4605)

- a memory disclosure flaw in dm-crypt that allowed a local user to
obtain sensitive information about a cryptographic key (CVE-2006-0095)

- a flaw while constructing an ICMP response that allowed remote users
to cause a denial of service (crash) (CVE-2006-0454)

All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To install kernel packages manually, use "rpm -ivh <package>" and modify
system settings to boot the kernel you have installed. To do this, edit
/boot/grub/grub.conf and change the default entry to "default=0" (or, if
you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
run lilo)

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

Note that this may not automatically pull the new kernel in if you have
configured apt/yum to ignore kernels. If so, follow the manual
instructions above.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/sh ... ?id=157459

6. RPMs required:

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora ... C3.src.rpm

i386:
http://download.fedoralegacy.org/fedora ... 3.i586.rpm
http://download.fedoralegacy.org/fedora ... 3.i686.rpm
http://download.fedoralegacy.org/fedora ... noarch.rpm
http://download.fedoralegacy.org/fedora ... 3.i586.rpm
http://download.fedoralegacy.org/fedora ... 3.i686.rpm

x86_64:
http://download.fedoralegacy.org/fedora ... x86_64.rpm
http://download.fedoralegacy.org/fedora ... noarch.rpm
http://download.fedoralegacy.org/fedora ... x86_64.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

b9e37d94319ce74e98aa053d9da798437b979a5e
fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i586.rpm
e8698e932795b5a8c9ecc97e95fab42f55d71ac9
fedora/3/updates/i386/kernel-2.6.12-2.3.legacy_FC3.i686.rpm
58e7014a387ef6e17bf9f68d26eb1242a9dab3f2
fedora/3/updates/i386/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
d09fb6f194558505d8d52fb22a60420cd35a06f1
fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i586.rpm
640077c447f1ac5edf5e21000c916bb750006f84
fedora/3/updates/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i686.rpm
3341ee0cc5e61d464a9982a5f96ec802d9121965
fedora/3/updates/x86_64/kernel-2.6.12-2.3.legacy_FC3.x86_64.rpm
58e7014a387ef6e17bf9f68d26eb1242a9dab3f2
fedora/3/updates/x86_64/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
ab4a29a3ec0bceda378319476b6ce46613805f90
fedora/3/updates/x86_64/kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm
725204fe5e8fb35b54083be1a6757cc8be43cf9d
fedora/3/updates/SRPMS/kernel-2.6.12-2.3.legacy_FC3.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2002-2185
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-2709
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3044
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3274
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3356
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3358
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3527
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3784
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3805
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3806
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3807
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-3857
http://cve.mitre.org/cgi-bin/cvename.cg ... -2005-4605
http://cve.mitre.org/cgi-bin/cvename.cg ... -2006-0095
http://cve.mitre.org/cgi-bin/cvename.cg ... -2006-0454

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group