Rh Kernel Alert!!! Upgrade Now!!!
Security Advisory - RHSA-2003:025-20
------------------------------------------------------------------------------
Summary:
Updated 2.4 kernel fixes various vulnerabilities
Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now
available that fix an information leak from several ethernet drivers, and
a file system issue.
Description:
The Linux kernel handles the basic functions of the operating system.
Vulnerabilities have been found in version 2.4.18 of the kernel. This
advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0.
Multiple ethernet Network Interface Card (NIC) device drivers do not pad
frames with null bytes, which allows remote attackers to obtain information
from previous packets or kernel memory by using malformed packets. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0001 to this issue.
A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and
later that can create a limited information leak where any user on the
system with write privileges to a file system can read information from
that file system (from previously deleted files), and can create minor file
system corruption (easily repaired by fsck). Red Hat Linux in its default
configuration is not affected by this bug, because the ext3 file system
(the default file system in Red Hat Linux 7.2 and later) does not support
the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18
kernels have this bug. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0018 to this issue.
Users of the ext2 file system can migrate to the ext3 file system
using the tune2fs program as described in the white paper at
http://www.redhat.com/support/wpapers/redhat/ext3/
All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade
to these errata packages, which contain patches to ethernet drivers to
remove the information leak and a patch to fix O_DIRECT handling.
In addition, the following drivers are upgraded to support newer hardware:
3c59x, e100, e1000, tg3
References:
http://www.atstake.com/research/advi.../a010603-1.txt
------------------------------------------------------------------------------
-------------
Taking Action
-------------
You may address the issues outlined in this advisory in two ways:
- select your server name by clicking on its name from the list
available at the following location, and then schedule an
errata update for it:
https://rhn.redhat.com/network/syste...ystem_list.pxt
- run the Update Agent on each affected server.
------------------------------------------------------------------------------
Summary:
Updated 2.4 kernel fixes various vulnerabilities
Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now
available that fix an information leak from several ethernet drivers, and
a file system issue.
Description:
The Linux kernel handles the basic functions of the operating system.
Vulnerabilities have been found in version 2.4.18 of the kernel. This
advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0.
Multiple ethernet Network Interface Card (NIC) device drivers do not pad
frames with null bytes, which allows remote attackers to obtain information
from previous packets or kernel memory by using malformed packets. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0001 to this issue.
A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and
later that can create a limited information leak where any user on the
system with write privileges to a file system can read information from
that file system (from previously deleted files), and can create minor file
system corruption (easily repaired by fsck). Red Hat Linux in its default
configuration is not affected by this bug, because the ext3 file system
(the default file system in Red Hat Linux 7.2 and later) does not support
the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18
kernels have this bug. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0018 to this issue.
Users of the ext2 file system can migrate to the ext3 file system
using the tune2fs program as described in the white paper at
http://www.redhat.com/support/wpapers/redhat/ext3/
All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade
to these errata packages, which contain patches to ethernet drivers to
remove the information leak and a patch to fix O_DIRECT handling.
In addition, the following drivers are upgraded to support newer hardware:
3c59x, e100, e1000, tg3
References:
http://www.atstake.com/research/advi.../a010603-1.txt
------------------------------------------------------------------------------
-------------
Taking Action
-------------
You may address the issues outlined in this advisory in two ways:
- select your server name by clicking on its name from the list
available at the following location, and then schedule an
errata update for it:
https://rhn.redhat.com/network/syste...ystem_list.pxt
- run the Update Agent on each affected server.
