Mandriva- Advisories MDKSA-2007:171: Updated kernel packages fix multiple vulnerabilities and bugs

[Mandriva]

Advisories MDKSA-2007:171: Updated kernel packages fix multiple vulnerabilities and bugs
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The Linux kernel did not properly save or restore EFLAGS during a
context switch, or reset the flags when creating new threads, which
allowed local users to cause a denial of service (process crash)
(CVE-2006-5755).

The compat_sys_mount function in fs/compat.c allowed local users
to cause a denial of service (NULL pointer dereference and oops)
by mounting a smbfs file system in compatibility mode (CVE-2006-7203).

The nfnetlink_log function in netfilter allowed an attacker to cause a
denial of service (crash) via unspecified vectors which would trigger
a NULL pointer dereference (CVE-2007-1496).

The nf_conntrack function in netfilter did not set nfctinfo during
reassembly of fragmented packets, which left the default value as
IP_CT_ESTABLISHED and could allow remote attackers to bypass certain
rulesets using IPv6 fragments (CVE-2007-1497).

The netlink functionality did not properly handle NETLINK_FIB_LOOKUP
replies, which allowed a remote attacker to cause a denial of service
(resource consumption) via unspecified vectors, probably related to
infinite recursion (CVE-2007-1861).

A typo in the Linux kernel caused RTA_MAX to be used as an array size
instead of RTN_MAX, which lead to an out of bounds access by certain
functions (CVE-2007-2172).

The IPv6 protocol allowed remote attackers to cause a denial of
service via crafted IPv6 type 0 route headers that create network
amplification between two routers (CVE-2007-2242).

The random number feature did not properly seed pools when there was
no entropy, or used an incorrect cast when extracting entropy, which
could cause the random number generator to provide the same values
after reboots on systems without an entropy source (CVE-2007-2453).

A memory leak in the PPPoE socket implementation allowed local users
to cause a denial of service (memory consumption) by creating a
socket using connect, and releasing it before the PPPIOCGCHAN ioctl
is initialized (CVE-2007-2525).

An integer underflow in the cpuset_tasks_read function, when the cpuset
filesystem is mounted, allowed local users to obtain kernel memory
contents by using a large offset when reading the /dev/cpuset/tasks
file (CVE-2007-2875).

The sctp_new function in netfilter allowed remote attackers to cause
a denial of service by causing certain invalid states that triggered
a NULL pointer dereference (CVE-2007-2876).

In addition to these security fixes, other fixes have been included
such as:

- Fix crash on netfilter when nfnetlink_log is used on certain
hooks on packets forwarded to or from a bridge
- Fixed busy sleep on IPVS which caused high load averages
- Fixed possible race condition on ext[34]_link
- Fixed missing braces in condition block that led to wrong behaviour
in NFS
- Fixed XFS lock deallocation that resulted in oops when unmounting

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate
http://mandrivausers.org/index.php?showtopic=43313
Array
Tue, 28 Aug 2007 19:15:10 +0000