LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-12-2006, 07:46 PM   #16
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371

This post is just a bump, so that all thread subscribers are made aware of the two updates which were made to the previous post yesterday (UPDATE #1) and today (UPDATE #2).

Last edited by win32sux; 04-14-2006 at 03:05 AM.
 
Old 04-18-2006, 06:14 AM   #17
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.6 was released about 13 hours ago. As can be seen in the ChangeLog, it included a fair number of bugfix patches (23 commits since 2.6.16.5 was released). One of these patches was indeed assigned a CVE ID. In Hugh Dickins' (patch author) own words:
Quote:
I found that all of 2.4 and 2.6 have been letting mprotect give write permission to a readonly attachment of shared memory, whether or not IPC would give the caller that permission.
View Commit

About two hours after the release of 2.6.16.6, the code was patched once again by Hugh Dickins - and Linux 2.6.16.7 was released.

This is CVE-2006-1524.

Last edited by win32sux; 04-18-2006 at 06:28 AM.
 
Old 04-18-2006, 07:38 PM   #18
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.8 has been released. From the ChangeLog:
Quote:
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
The bug is caused by ip_route_input dereferencing skb->nh.protocol of the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing it). It only happens if the route requested is for a multicast IP address.
This is CVE-2006-1525.

Last edited by win32sux; 04-18-2006 at 07:40 PM.
 
Old 04-19-2006, 07:55 AM   #19
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.9 has been released. From the ChangeLog:
Quote:
AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE when an exception is pending. This means the value leak through context switches and allow processes to observe some x87 instruction state of other processes.
This is CVE-2006-1056.
 
Old 04-20-2006, 02:16 PM   #20
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel perfmon Local Denial of Service Vulnerability (Not Critical)

Quote:
Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in perfmon (perfmon.c) during exit processing and may cause a crash when a task is interrupted while another process is accessing the "mm_struct" structure.

Solution:
Secunia is currently not aware of an official version addressing this.
Secunia Advisory

This is CVE-2006-0558.
 
Old 04-28-2006, 05:15 PM   #21
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel CIFS chroot Directory Traversal Vulnerability (Not Critical)

Quote:
Description:
Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.

The vulnerability is caused due to an input validation error in the CIFS mounted filesystem. This can be exploited to bypass chroot restrictions via the "..\\" directory traversal sequences.

The vulnerability has been reported in versions prior to 2.6.16.11.

Solution:
Update to version 2.6.16.11.
Secunia Advisory

This is CVE-2006-1863.

Last edited by win32sux; 04-28-2006 at 05:16 PM.
 
Old 04-28-2006, 05:19 PM   #22
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel SMBFS chroot Directory Traversal Vulnerability (Not Critical)

Quote:
Description:
Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.

The vulnerability is caused due to an input validation error in the SMBFS mounted filesystem. This can be exploited to bypass chroot restrictions via the "..\\" directory traversal sequences.

Solution:
Restrict access to affected systems.

Secunia is currently not aware of an official version addressing this.
Secunia Advisory

This is CVE-2006-1864.
 
Old 05-02-2006, 07:36 PM   #23
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.13 has been released. It fixes a Netfilter vulnerability.

From the git commit:
Quote:
[NETFILTER]: SCTP conntrack: fix infinite loop

fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)
This is CVE-2006-1527.
 
Old 05-05-2006, 08:10 AM   #24
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.14 has been released. It fixes a smbfs chroot vulnerability.

From the ChangeLog:
Quote:
Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs.
This is CVE-2006-1864.
 
Old 05-09-2006, 08:50 AM   #25
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
SCTP Denial of Service Vulnerabilities (Moderately Critical)

Quote:
Description:
Mu Security research team has reported two vulnerabilities in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) An incorrect use of state table entries in the SCTP code when certain ECNE chunks are received in CLOSED state can be exploited to cause kernel panic via a specially crafted packet.

2) An error in the handling of incoming IP-fragmented SCTP control chunks can be exploited to cause kernel panic via specially crafted packets.

The vulnerabilities have been reported in version 2.6.16. Other versions may also be affected.

Solution:
The vulnerabilities have been fixed in the CVS repositories, and will reportedly be fixed in version 2.6.17.
Secunia Advisory


Patches for this can be found here:

http://git.kernel.org/git/?p=linux/k...60e84637bc432e

http://git.kernel.org/git/?p=linux/k...dd1d8191a6e813
 
Old 05-09-2006, 04:33 PM   #26
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.15 has been released. It consists of these SCTP patches:

Quote:
Prevent possible infinite recursion with multiple bundled DATA.
CVE-2006-2274 | Commit


Quote:
Allow spillover of receive buffer to avoid deadlock.
CVE-2006-2275 | Commit


Quote:
Fix state table entries for chunks received in CLOSED state.
CVE-2006-2271 | Commit


Quote:
Fix panic's when receiving fragmented SCTP control chunks.
CVE-2006-2272 | Commit


The ChangeLog is available here.

Last edited by win32sux; 05-09-2006 at 04:50 PM.
 
Old 05-10-2006, 11:33 PM   #27
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.16 has been released. It's a basically a patch for CVE-2006-1860.

From the ChangeLog:
Quote:
It is insane to be giving lease_init() the task of freeing the lock it is
supposed to initialise, given that the lock is not guaranteed to be
allocated on the stack. This causes lockups in fcntl_setlease().
 
Old 05-20-2006, 08:26 PM   #28
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.17 has been released.

The ChangeLog shows three CVE issues (among other things) are addressed:

Quote:
SCTP: Validate the parameter length in HB-ACK chunk

If SCTP receives a badly formatted HB-ACK chunk, it is possible
that we may access invalid memory and potentially have a buffer
overflow. We should really make sure that the chunk format is
what we expect, before attempting to touch the data.
CVE-2006-1857


Quote:
SCTP: Respect the real chunk length when walking parameters

When performing bound checks during the parameter processing, we
want to use the real chunk and paramter lengths for bounds instead
of the rounded ones. This prevents us from potentially walking of
the end if the chunk length was miscalculated. We still use rounded
lengths when advancing the pointer. This was found during a
conformance test that changed the chunk length without modifying
parameters.
CVE-2006-1858


Quote:
Netfilter: do_add_counters race, possible oops or info leak

Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.
CVE-2006-0039

Last edited by win32sux; 05-20-2006 at 08:35 PM.
 
Old 05-22-2006, 07:09 PM   #29
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.18 has been released.

The ChangeLog shows it consists of a single patch for a Netfilter SNMP NAT issue:
Quote:
Fix memory corruption caused by snmp_trap_decode:

- When snmp_trap_decode fails before the id and address are allocated,
the pointers contain random memory, but are freed by the caller
(snmp_parse_mangle).

- When snmp_trap_decode fails after allocating just the ID, it tries
to free both address and ID, but the address pointer still contains
random memory. The caller frees both ID and random memory again.

- When snmp_trap_decode fails after allocating both, it frees both,
and the callers frees both again.

The corruption can be triggered remotely when the ip_nat_snmp_basic
module is loaded and traffic on port 161 or 162 is NATed.
This is CVE-2006-2444.
 
Old 05-31-2006, 12:22 PM   #30
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.19 has been released.

The ChangeLog shows it consists of a Netfilter information disclosure patch:
Quote:
Fix small information leak in SO_ORIGINAL_DST

It appears that sockaddr_in.sin_zero is not zeroed during
getsockopt(...SO_ORIGINAL_DST...) operation. This can lead
to an information leak.
This is CVE-2006-1343.

Last edited by win32sux; 05-31-2006 at 12:24 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kernel 2.4 in Zipslack (Waring: unable to open an initial console | Kernel Panic...) kurtamos Linux - General 2 05-10-2006 01:58 PM
Kernel-Patch Debian Logo 2.6.2 not correctly working for custom kernel 2.6.11 smp deepclutch Debian 3 06-27-2005 04:59 AM
kernel panic: try passing init= option to kernel...installation with Red Hat 9 kergen Linux - Hardware 1 09-30-2004 04:28 AM
are there any vulns for kernel 2.6.5? trax Linux - Security 2 04-24-2004 05:10 PM
snort rules to vulns not yet published zuessh Linux - Security 1 02-12-2004 03:17 PM


All times are GMT -5. The time now is 12:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration