Content of This Advisory:
1) Security Vulnerability Resolved:
Linux kernel security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

The Linux kernel update was updated on openSUSE 10.2 and 10.3 to fix
the following security problems:

CVE-2008-2136: A problem in SIT IPv6 tunnel handling could be used by remote attackers to immediately crash the machine.
CVE-2007-6282: A remote attacker could crash the IPSec/IPv6 stack by sending a bad ESP packet. This requires the host to be able to receive such packets (default filtered by the firewall).
CVE-2007-5904: A remote buffer overflow in CIFS was fixed which could potentially be used by remote attackers to crash the machine or potentially execute code.

CVE-2008-1615: On x86_64 a denial of service attack could be used by local attackers to immediately panic / crash the machine.
CVE-2008-2358: A security problem in DCCP was fixed, which could be used by remote attackers to crash the machine. Only a fix for openSUSE 10.2 was necessary.

CVE-2008-2148: The permission checking in sys_utimensat was incorrect and local attackers could change the file times of files they do not own to the current time.

CVE-2007-6206: An information leakage during core dumping of root processes was fixed. This problem was already fixed for openSUSE 10.3 previously and was now fixed for openSUSE 10.2.

CVE-2007-6712: A integer overflow in the hrtimer_forward function (hrtimer.c) in Linux kernel, when running on 64-bit systems, allows local users to cause a denial of service (infinite loop) via a timer with a large expiry value, which causes the timer to always be expired.
CVE-2008-1669: Fixed a SMP ordering problem in fcntl_setlk could potentially allow local attackers to execute code by timing file locking.

CVE-2008-1367: Clear the "direction" flag before calling signal handlers. For specific not yet identified programs under specific timing conditions this could potentially have caused memory corruption or code execution.
CVE-2008-1375: Fixed a dnotify race condition, which could be used by local attackers to potentially execute code.
CVE-2007-5500: A ptrace bug could be used by local attackers to hang their own processes indefinitely.
Also various non security bugs were fixed, please see the RPM changelogs.
2) Solution or Work-Around

There is no known workaround, please install the update packages.

3) Special Instructions and Notes

Please restart the machine after installing the update.

4) Package Location and Checksums

The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command
rpm -Fhv <file.rpm>

to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package.

x86 Platform:

openSUSE 10.3:

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/kernel-bigsmp-2.6.22.18-0.2.i586.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/kernel-debug-2.6.22.18-0.2.i586.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/kernel-default-2.6.22.18-0.2.i586.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/kernel-source-2.6.22.18-0.2.i586.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/kernel-syms-2.6.22.18-0.2.i586.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/kernel-xen-2.6.22.18-0.2.i586.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/kernel-xenpae-2.6.22.18-0.2.i586.rpm

openSUSE 10.2:

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-bigsmp-2.6.18.8-0.10.i586.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-default-2.6.18.8-0.10.i586.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-kdump-2.6.18.8-0.10.i586.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-source-2.6.18.8-0.10.i586.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-syms-2.6.18.8-0.10.i586.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-xen-2.6.18.8-0.10.i586.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/kernel-xenpae-2.6.18.8-0.10.i586.rpm

Power PC Platform:

openSUSE 10.3:

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/kernel-default-2.6.22.18-0.2.ppc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/kernel-kdump-2.6.22.18-0.2.ppc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/kernel-ppc64-2.6.22.18-0.2.ppc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/kernel-source-2.6.22.18-0.2.ppc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/ppc/kernel-syms-2.6.22.18-0.2.ppc.rpm

openSUSE 10.2:

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-default-2.6.18.8-0.10.ppc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-iseries64-2.6.18.8-0.10.ppc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-kdump-2.6.18.8-0.10.ppc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-ppc64-2.6.18.8-0.10.ppc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-source-2.6.18.8-0.10.ppc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/ppc/kernel-syms-2.6.18.8-0.10.ppc.rpm

x86-64 Platform:

openSUSE 10.3:

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/kernel-debug-2.6.22.18-0.2.x86_64.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/kernel-default-2.6.22.18-0.2.x86_64.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/kernel-source-2.6.22.18-0.2.x86_64.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/kernel-syms-2.6.22.18-0.2.x86_64.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/kernel-xen-2.6.22.18-0.2.x86_64.rpm

openSUSE 10.2:

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-default-2.6.18.8-0.10.x86_64.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-kdump-2.6.18.8-0.10.x86_64.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-source-2.6.18.8-0.10.x86_64.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-syms-2.6.18.8-0.10.x86_64.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/kernel-xen-2.6.18.8-0.10.x86_64.rpm

Sources:

openSUSE 10.3:

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-bigsmp-2.6.22.18-0.2.nosrc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-debug-2.6.22.18-0.2.nosrc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-default-2.6.22.18-0.2.nosrc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-kdump-2.6.22.18-0.2.nosrc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-ppc64-2.6.22.18-0.2.nosrc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-source-2.6.22.18-0.2.src.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-syms-2.6.22.18-0.2.src.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-xen-2.6.22.18-0.2.nosrc.rpm

http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/kernel-xenpae-2.6.22.18-0.2.nosrc.rpm

openSUSE 10.2:

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-bigsmp-2.6.18.8-0.10.nosrc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-default-2.6.18.8-0.10.nosrc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-iseries64-2.6.18.8-0.10.nosrc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-kdump-2.6.18.8-0.10.nosrc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-ppc64-2.6.18.8-0.10.nosrc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-source-2.6.18.8-0.10.src.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-syms-2.6.18.8-0.10.src.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-xen-2.6.18.8-0.10.nosrc.rpm

ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/kernel-xenpae-2.6.18.8-0.10.nosrc.rpm

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

- Announcement authenticity verification:

SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file>

replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:

gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@xxxxxxx>"

Original Article:
http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00006.html

Comments Index (Total Messages: 0)

Post Reply
Name:	Guest
Title:
Comment:
Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!