Issued:

2011-12-13

Updated:

2011-12-13

RHSA-2011:1813 - Important: kernel security and bug fix update

Synopsis

Important: kernel security and bug fix update

Type/Severity

Security Advisory Important

Topic

Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Description

These packages contain the Linux kernel.

This update fixes the following security issues:

• A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service by sending a specially-crafted SCTP packet to a target system. (CVE-2011-2482, Important)

If you do not run applications that use SCTP, you can prevent the sctp module from being loaded by adding the following to the end of the "/etc/modprobe.d/blacklist.conf" file:

blacklist sctp

This way, the sctp module cannot be loaded accidentally, which may occur if an application that requires SCTP is started. A reboot is not necessary for this change to take effect.

• A flaw in the client-side NFS Lock Manager (NLM) implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2491, Important)

• Flaws in the netlink-based wireless configuration interface could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important)

• A flaw was found in the way the Linux kernel's Xen hypervisor implementation emulated the SAHF instruction. When using a fully-virtualized guest on a host that does not use hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2519, Moderate)

• A flaw in the __addr_ok() macro in the Linux kernel's Xen hypervisor implementation when running on 64-bit systems could allow a privileged guest user to crash the hypervisor. (CVE-2011-2901, Moderate)

• /proc/[PID]/io is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low)

Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.

This update also fixes the following bugs:

• On Broadcom PCI cards that use the tg3 driver, the operational state of a network device, represented by the value in "/sys/class/net/ethX/operstate", was not initialized by default. Consequently, the state was reported as "unknown" when the tg3 network device was actually in the "up" state. This update modifies the tg3 driver to properly set the operstate value. (BZ#744699)

• A KVM (Kernel-based Virtual Machine) guest can get preempted by the host, when a higher priority process needs to run. When a guest is not running for several timer interrupts in a row, ticks could be lost, resulting in the jiffies timer advancing slower than expected and timeouts taking longer than expected. To correct for the issue of lost ticks, do_timer_tsc_timekeeping() checks a reference clock source (kvm-clock when running as a KVM guest) to see if timer interrupts have been missed. If so, jiffies is incremented by the number of missed timer interrupts, ensuring that programs are woken up on time. (BZ#747874)

• When a block device object was allocated, the bd_super field was not being explicitly initialized to NULL. Previously, users of the block device object could set bd_super to NULL when the object was released by calling the kill_block_super() function. Certain third-party file systems do not always use this function, and bd_super could therefore become uninitialized when the object was allocated again. This could cause a kernel panic in the blkdev_releasepage() function, when the uninitialized bd_super field was dereferenced. Now, bd_super is properly initialized in the bdget() function, and the kernel panic no longer occurs. (BZ#751137)

Solution

Users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect.

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system.

Affected Products

Updated Packages

• kernel-headers-2.6.18-238.31.1.el5.ppc.rpm
• kernel-debug-devel-2.6.18-238.31.1.el5.s390x.rpm
• kernel-xen-2.6.18-238.31.1.el5.i686.rpm
• kernel-2.6.18-238.31.1.el5.x86_64.rpm
• kernel-xen-devel-2.6.18-238.31.1.el5.ia64.rpm
• kernel-headers-2.6.18-238.31.1.el5.ia64.rpm
• kernel-PAE-2.6.18-238.31.1.el5.i686.rpm
• kernel-devel-2.6.18-238.31.1.el5.s390x.rpm
• kernel-devel-2.6.18-238.31.1.el5.ia64.rpm
• kernel-PAE-devel-2.6.18-238.31.1.el5.i686.rpm
• kernel-kdump-2.6.18-238.31.1.el5.ppc64.rpm
• kernel-debug-2.6.18-238.31.1.el5.ppc64.rpm
• kernel-devel-2.6.18-238.31.1.el5.x86_64.rpm
• kernel-xen-devel-2.6.18-238.31.1.el5.x86_64.rpm
• kernel-headers-2.6.18-238.31.1.el5.x86_64.rpm
• kernel-doc-2.6.18-238.31.1.el5.noarch.rpm
• kernel-2.6.18-238.31.1.el5.ia64.rpm
• kernel-debug-devel-2.6.18-238.31.1.el5.ia64.rpm
• kernel-debug-2.6.18-238.31.1.el5.x86_64.rpm
• kernel-debug-devel-2.6.18-238.31.1.el5.i686.rpm
• kernel-devel-2.6.18-238.31.1.el5.i686.rpm
• kernel-kdump-devel-2.6.18-238.31.1.el5.ppc64.rpm
• kernel-headers-2.6.18-238.31.1.el5.ppc64.rpm
• kernel-devel-2.6.18-238.31.1.el5.ppc64.rpm
• kernel-headers-2.6.18-238.31.1.el5.s390x.rpm
• kernel-kdump-devel-2.6.18-238.31.1.el5.s390x.rpm
• kernel-headers-2.6.18-238.31.1.el5.i386.rpm
• kernel-debug-2.6.18-238.31.1.el5.s390x.rpm
• kernel-debug-devel-2.6.18-238.31.1.el5.x86_64.rpm
• kernel-xen-devel-2.6.18-238.31.1.el5.i686.rpm
• kernel-kdump-2.6.18-238.31.1.el5.s390x.rpm
• kernel-2.6.18-238.31.1.el5.src.rpm
• kernel-debug-2.6.18-238.31.1.el5.ia64.rpm
• kernel-2.6.18-238.31.1.el5.ppc64.rpm
• kernel-2.6.18-238.31.1.el5.s390x.rpm
• kernel-xen-2.6.18-238.31.1.el5.x86_64.rpm
• kernel-2.6.18-238.31.1.el5.i686.rpm
• kernel-xen-2.6.18-238.31.1.el5.ia64.rpm
• kernel-debug-devel-2.6.18-238.31.1.el5.ppc64.rpm
• kernel-debug-2.6.18-238.31.1.el5.i686.rpm

Fixes

• This content is not included.BZ - 709393
• This content is not included.BZ - 714867
• This content is not included.BZ - 716825
• This content is not included.BZ - 718152
• This content is not included.BZ - 718882
• This content is not included.BZ - 728042

CVEs

• CVE-2011-2517
• CVE-2011-2495
• CVE-2011-2491
• CVE-2011-2519
• CVE-2011-2482
• CVE-2011-2901

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.