Full Disclosure mailing list archives
RE: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities
From: John.Airey () rnib org uk
Date: Tue, 25 Mar 2003 09:25:40 -0000
Mark Cox of Red Hat sent out a message just before Christmas (19/12/02) giving the following expiry dates for support of different versions of their product: Red Hat Linux 8.0 (Psyche) December 31, 2003 Red Hat Linux 7.3 (Valhalla) December 31, 2003 Red Hat Linux 7.2 (Enigma) December 31, 2003 Red Hat Linux 7.1 (Seawolf) December 31, 2003 Red Hat Linux 7.0 (Guinness) March 31, 2003 Red Hat Linux 6.2 (Zoot) March 31, 2003 This message also stated: "In addition, the following products have now reached their end of life for errata and are no longer supported: Red Hat Linux PowerTools (6.2, 7, and 7.1) All Red Hat Linux releases for the Alpha and Sparc architectures Red Hat Linux 7.1 for the IA64 architecture" The above bit I've only just noticed though! This information can be found at http://www.redhat.com/apps/support/errata/. Looks like Red Hat is becoming a "Lintel" company (if you know what I mean). Personally, I think only supporting products for one year is far too rapid. It means that to keep up with support you need to be reinstalling all your systems every 11 months or less. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk Anyone who believes in Evolution as fact just because they were told so at school seems to have missed the relevance of the renaissance.
-----Original Message----- From: Steffen Kluge [mailto:kluge () fujitsu com au] Sent: 24 March 2003 23:53 To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities # uname -mrs Linux 2.2.19 sparc # cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) # rpmbuild --rebuild kernel-2.2.24-6.2.3.src.rpm Installing kernel-2.2.24-6.2.3.src.rpm error: Architecture is not included: sparc What gives? Last time I checked RH6.2 supported sparc. Has that been silently dropped now as well? Did I miss something...? Cheers Steffen. On Thu, 2003-03-20 at 19:59, bugzilla () redhat com wrote:---------------------------------------------------------------------Red Hat Security Advisory Synopsis: New kernel 2.2 packages fix vulnerabilities Advisory ID: RHSA-2003:088-01 Issue date: 2003-03-20 Updated on: 2003-03-20 Product: Red Hat Linux Keywords: ethernet frame padding /proc/pid/mem Cross references: Obsoletes: RHSA-2002:264 CVE Names: CAN-2003-0001 CAN-2003-1380 CAN-2003-0127---------------------------------------------------------------------1. Topic: Updated kernel packages for Red Hat Linux 6.2 and 7.0 arenow availablethat fix several security vulnerabilities. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386, i586, i686 Red Hat Linux 7.0 - i386, i586, i686 3. Problem description: The Linux kernel handles the basic functions of theoperating system.A bug in the kernel module loader code allows a local userto gain rootprivileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0127 to this issue. Multiple ethernet Network Interface Card (NIC) devicedrivers do not padframes with null bytes, which allows remote attackers toobtain informationfrom previous packets or kernel memory by using malformedpackets. TheCommon Vulnerabilities and Exposures project(cve.mitre.org) has assignedthe name CAN-2003-0001 to this issue. The Linux 2.2 kernel allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READparameter to accessnon-readable memory pages through the /proc/pid/mem interface. The Common Vulnerabilities and Exposures project(cve.mitre.org) has assignedthe name CAN-2002-1380 to this issue. All users of Red Hat Linux 6.2 and 7 should upgrade to these errata packages, which contain version 2.2.24 of the Linux kernelwith patches andare not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previouslyreleased erratarelevant to your system have been applied. The procedure for upgrading the kernel is documented at:http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel -upgrade.htmlPlease read the directions for your architecture carefully before proceeding with the kernel upgrade. Please note that this update is also available via Red HatNetwork. Manypeople find this to be an easier way to apply updates. Touse Red HatNetwork, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result inthe appropriateRPMs being upgraded on your system. Note that you need toselect the kernelexplicitly on default configurations of up2date. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm i386:ftp://updates.redhat.com/6.2/en/os/i386/kernel-smp-2.2.24-6.2. 3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-BOOT-2.2.24-6.2 .3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-ibcs-2.2.24-6.2 .3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-utils-2.2.24-6. 2.3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-pcmcia-cs-2.2.2 4-6.2.3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-doc-2.2.24-6.2. 3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-headers-2.2.24- 6.2.3.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/kernel-source-2.2.24-6 .2.3.i386.rpmi586:ftp://updates.redhat.com/6.2/en/os/i586/kernel-smp-2.2.24-6.2. 3.i586.rpmftp://updates.redhat.com/6.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpm i686:ftp://updates.redhat.com/6.2/en/os/i686/kernel-enterprise-2.2. 24-6.2.3.i686.rpmftp://updates.redhat.com/6.2/en/os/i686/kernel-smp-2.2.24-6.2. 3.i686.rpmftp://updates.redhat.com/6.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm i386:ftp://updates.redhat.com/7.0/en/os/i386/kernel-smp-2.2.24-7.0. 3.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/kernel-BOOT-2.2.24-7.0 .3.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/kernel-ibcs-2.2.24-7.0 .3.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/kernel-utils-2.2.24-7. 0.3.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/kernel-pcmcia-cs-2.2.2 4-7.0.3.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/kernel-doc-2.2.24-7.0. 3.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/kernel-source-2.2.24-7 .0.3.i386.rpmi586:ftp://updates.redhat.com/7.0/en/os/i586/kernel-smp-2.2.24-7.0. 3.i586.rpmftp://updates.redhat.com/7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm i686:ftp://updates.redhat.com/7.0/en/os/i686/kernel-enterprise-2.2. 24-7.0.3.i686.rpmftp://updates.redhat.com/7.0/en/os/i686/kernel-smp-2.2.24-7.0. 3.i686.rpmftp://updates.redhat.com/7.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm 6. Verification: MD5 sum Package Name-------------------------------------------------------------- ------------e75a158ad3428385d80db17358c01d726.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm7c8137e737a20ce12528264742f1cf296.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpm4d98b8669950a871a4f604955b8fdcd26.2/en/os/i386/kernel-BOOT-2.2.24-6.2.3.i386.rpm169d7580f048e5ac4f97b607941822346.2/en/os/i386/kernel-doc-2.2.24-6.2.3.i386.rpmc0ad13a3bd0f5c97cd6c776c8c4d25066.2/en/os/i386/kernel-headers-2.2.24-6.2.3.i386.rpm4a7ac11d656242c86cb5c1a4630f1b7a6.2/en/os/i386/kernel-ibcs-2.2.24-6.2.3.i386.rpm3c99049af4f8807ea107cbf5eb3a18386.2/en/os/i386/kernel-pcmcia-cs-2.2.24-6.2.3.i386.rpmda7c86e906fe8a5dfdccd5472e4b72646.2/en/os/i386/kernel-smp-2.2.24-6.2.3.i386.rpm826eb077660afb473e46d88a660a6f1c6.2/en/os/i386/kernel-source-2.2.24-6.2.3.i386.rpmd069a463fe21bab5f76f02a31502123e6.2/en/os/i386/kernel-utils-2.2.24-6.2.3.i386.rpmeb349334ef125e741a85a8e869e7b5236.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpmadc808ed4014edaa4d4b010ddac4309c6.2/en/os/i586/kernel-smp-2.2.24-6.2.3.i586.rpm321dbf853a0cb81c8170459f8fc978936.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpme1750055ee17c7d57816f7ca8f3ccd2d6.2/en/os/i686/kernel-enterprise-2.2.24-6.2.3.i686.rpm76e6f3fe66df3ed6860264abe5a18de86.2/en/os/i686/kernel-smp-2.2.24-6.2.3.i686.rpm49e5f301b4cddb0ede8e4debf749d2847.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm7848dce7df9d50b7b4559f9e3f6cf9a17.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpm3e16df51fe2cb5d4d2d452f48a8467f17.0/en/os/i386/kernel-BOOT-2.2.24-7.0.3.i386.rpm5868fb09b963014bb7d6af0b0f07b6c07.0/en/os/i386/kernel-doc-2.2.24-7.0.3.i386.rpm511ca20d6c01b4c631b8878bfc4cc76e7.0/en/os/i386/kernel-ibcs-2.2.24-7.0.3.i386.rpme05486b8be3252fa24dbfbccae7c539e7.0/en/os/i386/kernel-pcmcia-cs-2.2.24-7.0.3.i386.rpm98b15116f2e5d623357e6f008118fcd57.0/en/os/i386/kernel-smp-2.2.24-7.0.3.i386.rpm837c9b0986e9762a01756d169d96705d7.0/en/os/i386/kernel-source-2.2.24-7.0.3.i386.rpm1086439f7e649ca231a7074aa1273a807.0/en/os/i386/kernel-utils-2.2.24-7.0.3.i386.rpmf0e5f6db3bfd8852c1869b70b9b1229f7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm72def97b1db6f807bd98bc2513807de97.0/en/os/i586/kernel-smp-2.2.24-7.0.3.i586.rpma134b4ed1db1733842e1206ace1928257.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm5adeaf42c35a3b350623667e4026980e7.0/en/os/i686/kernel-enterprise-2.2.24-7.0.3.i686.rpmef79dfd39815de20ae4a435341ec195c7.0/en/os/i686/kernel-smp-2.2.24-7.0.3.i686.rpmThese packages are GPG signed by Red Hat, Inc. forsecurity. Our keyis available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not beencorrupted ortampered with, examine only the md5sum with the following command: md5sum <filename> 7. References: http://www.atstake.com/research/advisories/2003/a010603-1.txt http://marc.theaimsgroup.com/?l=bugtraq&m=104033054204316 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127 8. Contact: The Red Hat security contact is <security () redhat com>. More contact details athttp://www.redhat.com/solutions/security/news/contact.htmlCopyright 2003 Red Hat, Inc. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities John . Airey (Mar 25)
- Re: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities Michael Boman (Mar 25)
- Re: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities Alexander Bartolich (Mar 25)
- Re: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities Etaoin Shrdlu (Mar 25)
- Re: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities nate (Mar 25)
- Re: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities Alexander Bartolich (Mar 25)
- Re: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities Steffen Kluge (Mar 25)
- Re: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities Michael Boman (Mar 25)
- <Possible follow-ups>
- RE: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities John . Airey (Mar 25)