openSUSE Security Update: SLE11 SP1 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2011:0159-1 Rating: important References: #466279 #552250 #564423 #602969 #620929 #622868 #623393 #625965 #629170 #630970 #632317 #633026 #636435 #638258 #640850 #642309 #643266 #643513 #648647 #648701 #648916 #649473 #650067 #650366 #650748 #651152 #652391 #655220 #655278 #655964 #657248 #657763 #658037 #658254 #658337 #658353 #658461 #658551 #658720 #659101 #659394 #659419 #660546 #661605 #661945 #662031 #662192 #662202 #662212 #662335 #662340 #662360 #662673 #662722 #662800 #662931 #662945 #663537 #663582 #663706 #664149 #664463 #665480 #665499 #665524 #665663 #666012 #666893 #668545 #668633 #668929 #670129 #670577 #670864 #671256 #671274 #671483 #672292 #672492 #672499 #672524 #674735 Cross-References: CVE-2010-2943 CVE-2010-3699 CVE-2010-3705 CVE-2010-3858 CVE-2010-3875 CVE-2010-3876 CVE-2010-3877 CVE-2010-4075 CVE-2010-4076 CVE-2010-4077 CVE-2010-4163 CVE-2010-4243 CVE-2010-4342 CVE-2010-4346 CVE-2010-4526 CVE-2010-4527 CVE-2010-4529 CVE-2010-4650 CVE-2010-4668 CVE-2011-0006 CVE-2011-0710 CVE-2011-0711 CVE-2011-0712 Affected Products: SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves 23 vulnerabilities and has 59 fixes is now available. Description: The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.29 and fixes various bugs and security issues. CVE-2010-3875: The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. CVE-2010-3876: net/packet/af_packet.c in the Linux kernel did not properly initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures. CVE-2010-3877: The get_name function in net/tipc/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. CVE-2010-3705: The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel did not properly validate the hmac_ids array of an SCTP peer, which allowed remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array. CVE-2011-0711: A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed. CVE-2011-0712: Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c. CVE-2011-0710: The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel on the s390 platform allowed local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/. CVE-2010-2943: The xfs implementation in the Linux kernel did not look up inode allocation btrees before reading inode buffers, which allowed remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle. CVE-2010-4075: The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. CVE-2010-4076: The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. CVE-2010-4077: The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. CVE-2010-4243: fs/exec.c in the Linux kernel did not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an OOM dodging issue, a related issue to CVE-2010-3858. CVE-2010-4668: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel allowed local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163. CVE-2010-4529: Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel on platforms other than x86 allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call. CVE-2010-4342: The aun_incoming function in net/econet/af_econet.c in the Linux kernel, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP. CVE-2010-3699: The backend driver in Xen 3.x allowed guest OS users to cause a denial of service via a kernel thread leak, which prevented the device and guest OS from being shut down or create a zombie domain, causing a hang in zenwatch, or preventing unspecified xm commands from working properly, related to (1) netback, (2) blkback, or (3) blktap. CVE-2010-4346: The install_special_mapping function in mm/mmap.c in the Linux kernel did not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application. CVE-2010-4650: Fixed a verify_ioctl overflow in "cuse" in the fuse filesystem. The code should only be called by root users though. CVE-2010-4526: Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in the Linux kernel allowed remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user, which causes the socket to be freed and triggers list corruption, related to the sctp_wait_for_connect function. CVE-2010-4527: The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel incorrectly expected that a certain name field ends with a '0' character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call. CVE-2011-0006: Fixed a LSM bug in IMA (Integrity Measuring Architecture). IMA is not enabled in SUSE kernels, so we were not affected. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SLE 11 SERVER Unsupported Extras (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-2.6.32.29-0.3.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-2.6.32.29-0.3.1 - SLE 11 SERVER Unsupported Extras (ppc64): kernel-ppc64-extra-2.6.32.29-0.3.1 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-2.6.32.29-0.3.1 References: http://support.novell.com/security/cve/CVE-2010-2943.html http://support.novell.com/security/cve/CVE-2010-3699.html http://support.novell.com/security/cve/CVE-2010-3705.html http://support.novell.com/security/cve/CVE-2010-3858.html http://support.novell.com/security/cve/CVE-2010-3875.html http://support.novell.com/security/cve/CVE-2010-3876.html http://support.novell.com/security/cve/CVE-2010-3877.html http://support.novell.com/security/cve/CVE-2010-4075.html http://support.novell.com/security/cve/CVE-2010-4076.html http://support.novell.com/security/cve/CVE-2010-4077.html http://support.novell.com/security/cve/CVE-2010-4163.html http://support.novell.com/security/cve/CVE-2010-4243.html http://support.novell.com/security/cve/CVE-2010-4342.html http://support.novell.com/security/cve/CVE-2010-4346.html http://support.novell.com/security/cve/CVE-2010-4526.html http://support.novell.com/security/cve/CVE-2010-4527.html http://support.novell.com/security/cve/CVE-2010-4529.html http://support.novell.com/security/cve/CVE-2010-4650.html http://support.novell.com/security/cve/CVE-2010-4668.html http://support.novell.com/security/cve/CVE-2011-0006.html http://support.novell.com/security/cve/CVE-2011-0710.html http://support.novell.com/security/cve/CVE-2011-0711.html http://support.novell.com/security/cve/CVE-2011-0712.html https://bugzilla.novell.com/466279 https://bugzilla.novell.com/552250 https://bugzilla.novell.com/564423 https://bugzilla.novell.com/602969 https://bugzilla.novell.com/620929 https://bugzilla.novell.com/622868 https://bugzilla.novell.com/623393 https://bugzilla.novell.com/625965 https://bugzilla.novell.com/629170 https://bugzilla.novell.com/630970 https://bugzilla.novell.com/632317 https://bugzilla.novell.com/633026 https://bugzilla.novell.com/636435 https://bugzilla.novell.com/638258 https://bugzilla.novell.com/640850 https://bugzilla.novell.com/642309 https://bugzilla.novell.com/643266 https://bugzilla.novell.com/643513 https://bugzilla.novell.com/648647 https://bugzilla.novell.com/648701 https://bugzilla.novell.com/648916 https://bugzilla.novell.com/649473 https://bugzilla.novell.com/650067 https://bugzilla.novell.com/650366 https://bugzilla.novell.com/650748 https://bugzilla.novell.com/651152 https://bugzilla.novell.com/652391 https://bugzilla.novell.com/655220 https://bugzilla.novell.com/655278 https://bugzilla.novell.com/655964 https://bugzilla.novell.com/657248 https://bugzilla.novell.com/657763 https://bugzilla.novell.com/658037 https://bugzilla.novell.com/658254 https://bugzilla.novell.com/658337 https://bugzilla.novell.com/658353 https://bugzilla.novell.com/658461 https://bugzilla.novell.com/658551 https://bugzilla.novell.com/658720 https://bugzilla.novell.com/659101 https://bugzilla.novell.com/659394 https://bugzilla.novell.com/659419 https://bugzilla.novell.com/660546 https://bugzilla.novell.com/661605 https://bugzilla.novell.com/661945 https://bugzilla.novell.com/662031 https://bugzilla.novell.com/662192 https://bugzilla.novell.com/662202 https://bugzilla.novell.com/662212 https://bugzilla.novell.com/662335 https://bugzilla.novell.com/662340 https://bugzilla.novell.com/662360 https://bugzilla.novell.com/662673 https://bugzilla.novell.com/662722 https://bugzilla.novell.com/662800 https://bugzilla.novell.com/662931 https://bugzilla.novell.com/662945 https://bugzilla.novell.com/663537 https://bugzilla.novell.com/663582 https://bugzilla.novell.com/663706 https://bugzilla.novell.com/664149 https://bugzilla.novell.com/664463 https://bugzilla.novell.com/665480 https://bugzilla.novell.com/665499 https://bugzilla.novell.com/665524 https://bugzilla.novell.com/665663 https://bugzilla.novell.com/666012 https://bugzilla.novell.com/666893 https://bugzilla.novell.com/668545 https://bugzilla.novell.com/668633 https://bugzilla.novell.com/668929 https://bugzilla.novell.com/670129 https://bugzilla.novell.com/670577 https://bugzilla.novell.com/670864 https://bugzilla.novell.com/671256 https://bugzilla.novell.com/671274 https://bugzilla.novell.com/671483 https://bugzilla.novell.com/672292 https://bugzilla.novell.com/672492 https://bugzilla.novell.com/672499 https://bugzilla.novell.com/672524 https://bugzilla.novell.com/674735