Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Tue, 13 Mar 2007 16:22:02 +0100
Type : VULN
Sujet : CERT-Renater : 2007/VULN103 (Mandriva Linux: Updated kernel packages fix multiple vulnerabilities and bugs)
====================================================================                                     CERT-Renater

                          Note d'Information No. 2007/VULN103
_____________________________________________________________________

DATE                      : 13/03/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Linux.

======================================================================

  _______________________________________________________________________

  Mandriva Linux Security Advisory                         MDKSA-2007:060
  http://www.mandriva.com/security/
  _______________________________________________________________________

  Package : kernel
  Date    : March 9, 2007
  Affected: 2006.0, Corporate 4.0
  _______________________________________________________________________

  Problem Description:

  Some vulnerabilities were discovered and corrected in the Linux 2.6
  kernel:

  The 2.6.17 kernel and earlier, when running on IA64 and SPARC platforms
  would allow a local user to cause a DoS (crash) via a malformed ELF file
  (CVE-2006-4538).

  The mincore function in the Linux kernel did not properly lock access to
  user space, which has unspecified impact and attack vectors, possibly
  related to a deadlock (CVE-2006-4814).

  An unspecified vulnerability in the listxattr system call, when a "bad
  inode" is present, could allow a local user to cause a DoS (data
  corruption) and possibly gain privileges via unknown vectors
  (CVE-2006-5753).

  The zlib_inflate function allows local users to cause a crash via a
  malformed filesystem that uses zlib compression that triggers memory
  corruption (CVE-2006-5823).

  The ext3fs_dirhash function could allow local users to cause a DoS
  (crash) via an ext3 stream with malformed data structures
  (CVE-2006-6053).

  When SELinux hooks are enabled, the kernel could allow a local user to
  cause a DoS (crash) via a malformed file stream that triggers a NULL
  pointer derefernece (CVE-2006-6056).

  The key serial number collision avoidance code in the key_alloc_serial
  function in kernels 2.6.9 up to 2.6.20 allows local users to cause a
  crash via vectors thatr trigger a null dereference (CVE-2007-0006).

  The Linux kernel version 2.6.13 to 2.6.20.1 allowed a remote attacker
  to cause a DoS (oops) via a crafted NFSACL2 ACCESS request that
  triggered a free of an incorrect pointer (CVE-2007-0772).

  A local user could read unreadable binaries by using the interpreter
  (PT_INTERP) functionality and triggering a core dump; a variant of
  CVE-2004-1073 (CVE-2007-0958).

  The provided packages are patched to fix these vulnerabilities.  All
  users are encouraged to upgrade to these updated kernels immediately
  and reboot to effect the fixes.

  In addition to these security fixes, other fixes have been included
  such as:

    - add PCI IDs for cciss driver (HP ML370G5 / DL360G5)
    - fixed a mssive SCSI reset on megasas (Dell PE2960)
    - increased port-reset completion delay for HP controllers (HP ML350)
    - NUMA rnage fixes for x86_64
    - various netfilter fixes

  To update your kernel, please follow the directions located at:

    http://www.mandriva.com/en/security/kernelupdate
  _______________________________________________________________________

  References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4538
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4814
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5753
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5823
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6053
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6056
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0006
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0772
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0958
  http://qa.mandriva.com/show_bug.cgi?id(461
  _______________________________________________________________________

  Updated Packages:

  Mandriva Linux 2006.0:
  b7c0334ecb73bb3b14173ef4dcdfa51b  2006.0/i586/kernel-2.6.12.31mdk-1-1mdk.i586.rpm
  8307e34d54134ab5cb41833d1b9d7742 
2006.0/i586/kernel-BOOT-2.6.12.31mdk-1-1mdk.i586.rpm
  d329fdf03e99dfa15b08bb7c2791ed37 
2006.0/i586/kernel-doc-2.6.12.31mdk-1-1mdk.i586.rpm
  3cf6a4198f43493932ea8251d4ee82dc 
2006.0/i586/kernel-i586-up-1GB-2.6.12.31mdk-1-1mdk.i586.rpm
  c03817495740a0e9b1420f0991baf47f 
2006.0/i586/kernel-i686-up-4GB-2.6.12.31mdk-1-1mdk.i586.rpm
  3e96d0ad0b5637d62db5233ca2df7d47 
2006.0/i586/kernel-smp-2.6.12.31mdk-1-1mdk.i586.rpm
  65e1e7c5c155045d52474444870b13d3 
2006.0/i586/kernel-source-2.6.12.31mdk-1-1mdk.i586.rpm
  9b62d79a9503c6f0db71166409c48c39 
2006.0/i586/kernel-source-stripped-2.6.12.31mdk-1-1mdk.i586.rpm
  553faeda754e6007c592aa5ba5c48ea0 
2006.0/i586/kernel-xbox-2.6.12.31mdk-1-1mdk.i586.rpm
  4ee72a08f25d24ee409fdab7c8ec4f17 
2006.0/i586/kernel-xen0-2.6.12.31mdk-1-1mdk.i586.rpm
  53304c8f505a4cbac0ac9a2ff01b379b 
2006.0/i586/kernel-xenU-2.6.12.31mdk-1-1mdk.i586.rpm
  d7a287562aed00fbc8167aa55bbb3bb9  2006.0/SRPMS/kernel-2.6.12.31mdk-1-1mdk.src.rpm

  Mandriva Linux 2006.0/X86_64:
  08d9bfee92615f6bd8b3f71b2756fdaf 
2006.0/x86_64/kernel-2.6.12.31mdk-1-1mdk.x86_64.rpm
  a750f3e67d9a0d6b07711e08f22e647b 
2006.0/x86_64/kernel-BOOT-2.6.12.31mdk-1-1mdk.x86_64.rpm
  20196c168b6bc40f5bebd3ea2c5c82f6 
2006.0/x86_64/kernel-doc-2.6.12.31mdk-1-1mdk.x86_64.rpm
  d65bd5fd54715215d957d2fa412cbe79 
2006.0/x86_64/kernel-smp-2.6.12.31mdk-1-1mdk.x86_64.rpm
  164d4bb97970b852c88a872a70240e55 
2006.0/x86_64/kernel-source-2.6.12.31mdk-1-1mdk.x86_64.rpm
  af11e7ddade582c262d9281c965c25d8 
2006.0/x86_64/kernel-source-stripped-2.6.12.31mdk-1-1mdk.x86_64.rpm
  53cdf75192bc3a626ad68f9dfd90769d 
2006.0/x86_64/kernel-xen0-2.6.12.31mdk-1-1mdk.x86_64.rpm
  c9299e6bf5fc41af71fbd03ebd80b151 
2006.0/x86_64/kernel-xenU-2.6.12.31mdk-1-1mdk.x86_64.rpm
  d7a287562aed00fbc8167aa55bbb3bb9  2006.0/SRPMS/kernel-2.6.12.31mdk-1-1mdk.src.rpm

  Corporate 4.0:
  71a9ce7e6ad36f939ae4585a5446e2ce 
corporate/4.0/i586/kernel-2.6.12.31mdk-1-1mdk.i586.rpm
  b3682d92693d4d7481540b2412128ee3 
corporate/4.0/i586/kernel-BOOT-2.6.12.31mdk-1-1mdk.i586.rpm
  375a99017c6032af0fbf53c6e2ac0f9e 
corporate/4.0/i586/kernel-doc-2.6.12.31mdk-1-1mdk.i586.rpm
  7ef9e2dce86995c5054f0f81587bae14 
corporate/4.0/i586/kernel-i586-up-1GB-2.6.12.31mdk-1-1mdk.i586.rpm
  8e4861bfc6150a73f331010b242505f5 
corporate/4.0/i586/kernel-i686-up-4GB-2.6.12.31mdk-1-1mdk.i586.rpm
  fc5b1a7d5b45e9b6f94d1b75a2b252cd 
corporate/4.0/i586/kernel-smp-2.6.12.31mdk-1-1mdk.i586.rpm
  f616f5a779f3be6febf27506deea96ca 
corporate/4.0/i586/kernel-source-2.6.12.31mdk-1-1mdk.i586.rpm
  2bc31f06ab60d5f5c09b522ba275c35e 
corporate/4.0/i586/kernel-source-stripped-2.6.12.31mdk-1-1mdk.i586.rpm
  c450285103a7742c8505cce505b6cb30 
corporate/4.0/i586/kernel-xbox-2.6.12.31mdk-1-1mdk.i586.rpm
  16b35579daacc6bef494c140e0332910 
corporate/4.0/i586/kernel-xen0-2.6.12.31mdk-1-1mdk.i586.rpm
  957962b563ad39490ac49ee1f328d2d3 
corporate/4.0/i586/kernel-xenU-2.6.12.31mdk-1-1mdk.i586.rpm
  20b9766dbaf813ba017fe3884771a80b 
corporate/4.0/SRPMS/kernel-2.6.12.31mdk-1-1mdk.src.rpm

  Corporate 4.0/X86_64:
  8bdd8e4d2d3ab03ff666b7588ec011f6 
corporate/4.0/x86_64/kernel-2.6.12.31mdk-1-1mdk.x86_64.rpm
  7e3081d6804343fcc51a2ce06836081e 
corporate/4.0/x86_64/kernel-BOOT-2.6.12.31mdk-1-1mdk.x86_64.rpm
  bb6a57a5ad26361394ff00db94f8f5e3 
corporate/4.0/x86_64/kernel-doc-2.6.12.31mdk-1-1mdk.x86_64.rpm
  9aae4c3ce22091d4ca787a41a11231ff 
corporate/4.0/x86_64/kernel-smp-2.6.12.31mdk-1-1mdk.x86_64.rpm
  8ce06bd6a4144757828d29d83a690827 
corporate/4.0/x86_64/kernel-source-2.6.12.31mdk-1-1mdk.x86_64.rpm
  70757f12ac8d99d5881a4c6becbd2503 
corporate/4.0/x86_64/kernel-source-stripped-2.6.12.31mdk-1-1mdk.x86_64.rpm
  d3e1f96967bf0a5351d51ede84f078ca 
corporate/4.0/x86_64/kernel-xen0-2.6.12.31mdk-1-1mdk.x86_64.rpm
  6931563b47316f8572f0cd4cb0ebd3e1 
corporate/4.0/x86_64/kernel-xenU-2.6.12.31mdk-1-1mdk.x86_64.rpm
  20b9766dbaf813ba017fe3884771a80b 
corporate/4.0/SRPMS/kernel-2.6.12.31mdk-1-1mdk.src.rpm
  _______________________________________________________________________

  To upgrade automatically use MandrivaUpdate or urpmi.  The verification
  of md5 checksums and GPG signatures is performed automatically for you.

  All packages are signed by Mandriva for security.  You can obtain the
  GPG public key of the Mandriva Security Team by executing:

   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

  You can view other update advisories for Mandriva Linux at:

   http://www.mandriva.com/security/advisories

  If you want to report vulnerabilities, please contact

   security_(at)_mandriva.com
  _______________________________________________________________________

  Type Bits/KeyID     Date       User ID
  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
   

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================