RE: [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities

[John.Airey () rnib org uk]

Mark Cox of Red Hat sent out a message just before Christmas (19/12/02)
giving the following expiry dates for support of different versions of their
product:

      Red Hat Linux 8.0 (Psyche)        December 31, 2003
      Red Hat Linux 7.3 (Valhalla)      December 31, 2003
      Red Hat Linux 7.2 (Enigma)        December 31, 2003
      Red Hat Linux 7.1 (Seawolf)       December 31, 2003
      Red Hat Linux 7.0 (Guinness)      March 31, 2003
      Red Hat Linux 6.2 (Zoot)          March 31, 2003

This message also stated: "In addition, the
following products have now reached their end of life for errata and are
no longer supported:

      Red Hat Linux PowerTools (6.2, 7, and 7.1)
      All Red Hat Linux releases for the Alpha and Sparc architectures
      Red Hat Linux 7.1 for the IA64 architecture"

The above bit I've only just noticed though! This information can be found
at http://www.redhat.com/apps/support/errata/. 

Looks like Red Hat is becoming a "Lintel" company (if you know what I mean).
Personally, I think only supporting products for one year is far too rapid.
It means that to keep up with support you need to be reinstalling all your
systems every 11 months or less.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

Anyone who believes in Evolution as fact just because they were told so at
school seems to have missed the relevance of the renaissance.


> -----Original Message-----
> From: Steffen Kluge [mailto:kluge () fujitsu com au]
> Sent: 24 March 2003 23:53
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] [RHSA-2003:088-01] New kernel 2.2
> packages fix vulnerabilities
>
>
> # uname -mrs
> Linux 2.2.19 sparc
> # cat /etc/redhat-release
> Red Hat Linux release 6.2 (Zoot)
> # rpmbuild --rebuild kernel-2.2.24-6.2.3.src.rpm
> Installing kernel-2.2.24-6.2.3.src.rpm
> error: Architecture is not included: sparc
>
> What gives? Last time I checked RH6.2 supported sparc.
> Has that been silently dropped now as well? Did I
> miss something...?
>
> Cheers
> Steffen.
>
> On Thu, 2003-03-20 at 19:59, bugzilla () redhat com wrote:
> >
> ---------------------------------------------------------------------
> >                    Red Hat Security Advisory
> >
> > Synopsis:          New kernel 2.2 packages fix vulnerabilities
> > Advisory ID:       RHSA-2003:088-01
> > Issue date:        2003-03-20
> > Updated on:        2003-03-20
> > Product:           Red Hat Linux
> > Keywords:          ethernet frame padding /proc/pid/mem
> > Cross references:  
> > Obsoletes:         RHSA-2002:264
> > CVE Names:         CAN-2003-0001 CAN-2003-1380 CAN-2003-0127
> ---------------------------------------------------------------------
> > 1. Topic:
> >
> > Updated kernel packages for Red Hat Linux 6.2 and 7.0 are 
> now available
> > that fix several security vulnerabilities.
> >
> > 2. Relevant releases/architectures:
> >
> > Red Hat Linux 6.2 - i386, i586, i686
> > Red Hat Linux 7.0 - i386, i586, i686
> >
> > 3. Problem description:
> >
> > The Linux kernel handles the basic functions of the 
> operating system.
> > A bug in the kernel module loader code allows a local user 
> to gain root 
> > privileges. The Common Vulnerabilities and Exposures project
> > (cve.mitre.org) has assigned the name CAN-2003-0127 to this issue.
> >
> > Multiple ethernet Network Interface Card (NIC) device 
> drivers do not pad
> > frames with null bytes, which allows remote attackers to 
> obtain information
> > from previous packets or kernel memory by using malformed 
> packets.  The
> > Common Vulnerabilities and Exposures project 
> (cve.mitre.org) has assigned
> > the name CAN-2003-0001 to this issue.
> >
> > The Linux 2.2 kernel allows local users to cause a denial of service
> > (crash) by using the mmap() function with a PROT_READ 
> parameter to access
> > non-readable memory pages through the /proc/pid/mem interface.  The
> > Common Vulnerabilities and Exposures project 
> (cve.mitre.org) has assigned
> > the name CAN-2002-1380 to this issue.
> >
> > All users of Red Hat Linux 6.2 and 7 should upgrade to these errata
> > packages, which contain version 2.2.24 of the Linux kernel 
> with patches and
> > are not vulnerable to these issues.
> >
> > 4. Solution:
> >
> > Before applying this update, make sure all previously 
> released errata
> > relevant to your system have been applied. 
> >
> > The procedure for upgrading the kernel is documented at:
> http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel
> -upgrade.html
> > Please read the directions for your architecture carefully before
> > proceeding with the kernel upgrade.
> >
> > Please note that this update is also available via Red Hat 
> Network.  Many
> > people find this to be an easier way to apply updates.  To 
> use Red Hat
> > Network, launch the Red Hat Update Agent with the following command:
> >
> > up2date
> >
> > This will start an interactive process that will result in 
> the appropriate
> > RPMs being upgraded on your system. Note that you need to 
> select the kernel
> > explicitly on default configurations of up2date.
> >
> > 5. RPMs required:
> >
> > Red Hat Linux 6.2:
> >
> > SRPMS:
> > ftp://updates.redhat.com/6.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm
> >
> > i386:
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-smp-2.2.24-6.2.
> 3.i386.rpm
> > ftp://updates.redhat.com/6.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpm
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-BOOT-2.2.24-6.2
> .3.i386.rpm
> >
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-ibcs-2.2.24-6.2
> .3.i386.rpm
> >
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-utils-2.2.24-6.
> 2.3.i386.rpm
> >
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-pcmcia-cs-2.2.2
> 4-6.2.3.i386.rpm
> >
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-doc-2.2.24-6.2.
> 3.i386.rpm
> >
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-headers-2.2.24-
> 6.2.3.i386.rpm
> >
> ftp://updates.redhat.com/6.2/en/os/i386/kernel-source-2.2.24-6
> .2.3.i386.rpm
> > i586:
> ftp://updates.redhat.com/6.2/en/os/i586/kernel-smp-2.2.24-6.2.
> 3.i586.rpm
> > ftp://updates.redhat.com/6.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpm
> >
> > i686:
> ftp://updates.redhat.com/6.2/en/os/i686/kernel-enterprise-2.2.
> 24-6.2.3.i686.rpm
> >
> ftp://updates.redhat.com/6.2/en/os/i686/kernel-smp-2.2.24-6.2.
> 3.i686.rpm
> > ftp://updates.redhat.com/6.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpm
> >
> > Red Hat Linux 7.0:
> >
> > SRPMS:
> > ftp://updates.redhat.com/7.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm
> >
> > i386:
> ftp://updates.redhat.com/7.0/en/os/i386/kernel-smp-2.2.24-7.0.
> 3.i386.rpm
> > ftp://updates.redhat.com/7.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpm
> ftp://updates.redhat.com/7.0/en/os/i386/kernel-BOOT-2.2.24-7.0
> .3.i386.rpm
> >
> ftp://updates.redhat.com/7.0/en/os/i386/kernel-ibcs-2.2.24-7.0
> .3.i386.rpm
> >
> ftp://updates.redhat.com/7.0/en/os/i386/kernel-utils-2.2.24-7.
> 0.3.i386.rpm
> >
> ftp://updates.redhat.com/7.0/en/os/i386/kernel-pcmcia-cs-2.2.2
> 4-7.0.3.i386.rpm
> >
> ftp://updates.redhat.com/7.0/en/os/i386/kernel-doc-2.2.24-7.0.
> 3.i386.rpm
> >
> ftp://updates.redhat.com/7.0/en/os/i386/kernel-source-2.2.24-7
> .0.3.i386.rpm
> > i586:
> ftp://updates.redhat.com/7.0/en/os/i586/kernel-smp-2.2.24-7.0.
> 3.i586.rpm
> > ftp://updates.redhat.com/7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm
> >
> > i686:
> ftp://updates.redhat.com/7.0/en/os/i686/kernel-enterprise-2.2.
> 24-7.0.3.i686.rpm
> >
> ftp://updates.redhat.com/7.0/en/os/i686/kernel-smp-2.2.24-7.0.
> 3.i686.rpm
> > ftp://updates.redhat.com/7.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm
> >
> >
> >
> > 6. Verification:
> >
> > MD5 sum                          Package Name
> --------------------------------------------------------------
> ------------
> > e75a158ad3428385d80db17358c01d72 
> 6.2/en/os/SRPMS/kernel-2.2.24-6.2.3.src.rpm
> > 7c8137e737a20ce12528264742f1cf29 
> 6.2/en/os/i386/kernel-2.2.24-6.2.3.i386.rpm
> > 4d98b8669950a871a4f604955b8fdcd2 
> 6.2/en/os/i386/kernel-BOOT-2.2.24-6.2.3.i386.rpm
> > 169d7580f048e5ac4f97b60794182234 
> 6.2/en/os/i386/kernel-doc-2.2.24-6.2.3.i386.rpm
> > c0ad13a3bd0f5c97cd6c776c8c4d2506 
> 6.2/en/os/i386/kernel-headers-2.2.24-6.2.3.i386.rpm
> > 4a7ac11d656242c86cb5c1a4630f1b7a 
> 6.2/en/os/i386/kernel-ibcs-2.2.24-6.2.3.i386.rpm
> > 3c99049af4f8807ea107cbf5eb3a1838 
> 6.2/en/os/i386/kernel-pcmcia-cs-2.2.24-6.2.3.i386.rpm
> > da7c86e906fe8a5dfdccd5472e4b7264 
> 6.2/en/os/i386/kernel-smp-2.2.24-6.2.3.i386.rpm
> > 826eb077660afb473e46d88a660a6f1c 
> 6.2/en/os/i386/kernel-source-2.2.24-6.2.3.i386.rpm
> > d069a463fe21bab5f76f02a31502123e 
> 6.2/en/os/i386/kernel-utils-2.2.24-6.2.3.i386.rpm
> > eb349334ef125e741a85a8e869e7b523 
> 6.2/en/os/i586/kernel-2.2.24-6.2.3.i586.rpm
> > adc808ed4014edaa4d4b010ddac4309c 
> 6.2/en/os/i586/kernel-smp-2.2.24-6.2.3.i586.rpm
> > 321dbf853a0cb81c8170459f8fc97893 
> 6.2/en/os/i686/kernel-2.2.24-6.2.3.i686.rpm
> > e1750055ee17c7d57816f7ca8f3ccd2d 
> 6.2/en/os/i686/kernel-enterprise-2.2.24-6.2.3.i686.rpm
> > 76e6f3fe66df3ed6860264abe5a18de8 
> 6.2/en/os/i686/kernel-smp-2.2.24-6.2.3.i686.rpm
> > 49e5f301b4cddb0ede8e4debf749d284 
> 7.0/en/os/SRPMS/kernel-2.2.24-7.0.3.src.rpm
> > 7848dce7df9d50b7b4559f9e3f6cf9a1 
> 7.0/en/os/i386/kernel-2.2.24-7.0.3.i386.rpm
> > 3e16df51fe2cb5d4d2d452f48a8467f1 
> 7.0/en/os/i386/kernel-BOOT-2.2.24-7.0.3.i386.rpm
> > 5868fb09b963014bb7d6af0b0f07b6c0 
> 7.0/en/os/i386/kernel-doc-2.2.24-7.0.3.i386.rpm
> > 511ca20d6c01b4c631b8878bfc4cc76e 
> 7.0/en/os/i386/kernel-ibcs-2.2.24-7.0.3.i386.rpm
> > e05486b8be3252fa24dbfbccae7c539e 
> 7.0/en/os/i386/kernel-pcmcia-cs-2.2.24-7.0.3.i386.rpm
> > 98b15116f2e5d623357e6f008118fcd5 
> 7.0/en/os/i386/kernel-smp-2.2.24-7.0.3.i386.rpm
> > 837c9b0986e9762a01756d169d96705d 
> 7.0/en/os/i386/kernel-source-2.2.24-7.0.3.i386.rpm
> > 1086439f7e649ca231a7074aa1273a80 
> 7.0/en/os/i386/kernel-utils-2.2.24-7.0.3.i386.rpm
> > f0e5f6db3bfd8852c1869b70b9b1229f 
> 7.0/en/os/i586/kernel-2.2.24-7.0.3.i586.rpm
> > 72def97b1db6f807bd98bc2513807de9 
> 7.0/en/os/i586/kernel-smp-2.2.24-7.0.3.i586.rpm
> > a134b4ed1db1733842e1206ace192825 
> 7.0/en/os/i686/kernel-2.2.24-7.0.3.i686.rpm
> > 5adeaf42c35a3b350623667e4026980e 
> 7.0/en/os/i686/kernel-enterprise-2.2.24-7.0.3.i686.rpm
> > ef79dfd39815de20ae4a435341ec195c 
> 7.0/en/os/i686/kernel-smp-2.2.24-7.0.3.i686.rpm
> > These packages are GPG signed by Red Hat, Inc. for 
> security.  Our key
> > is available at http://www.redhat.com/about/contact/pgpkey.html
> >
> > You can verify each package with the following command:
> >     
> >     rpm --checksig -v <filename>
> >
> > If you only wish to verify that each package has not been 
> corrupted or
> > tampered with, examine only the md5sum with the following command:
> >     
> >     md5sum <filename>
> >
> >
> > 7. References:
> >
> > http://www.atstake.com/research/advisories/2003/a010603-1.txt
> > http://marc.theaimsgroup.com/?l=bugtraq&m=104033054204316
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1380
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127
> >
> > 8. Contact:
> >
> > The Red Hat security contact is <security () redhat com>.  More contact
> > details at 
> http://www.redhat.com/solutions/security/news/contact.html
> > Copyright 2003 Red Hat, Inc.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html