[SECURITY] Updated kernel packages resolve security vulnerabilities

Dave Jones davej at redhat.com
Wed Apr 14 15:00:35 UTC 2004


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-101
2004-04-14
---------------------------------------------------------------------

Name        : kernel
Version     : 2.4.22                      
Release     : 1.2179.nptl                  
Summary     : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of your
Fedora Core Linux operating system.  The kernel handles the basic functions
of the operating system:  memory allocation, process allocation, device
input and output, etc.

iDefense reported a buffer overflow flaw in the ISO9660 filesystem code.
An attacker could create a malicious filesystem in such a way that they
could gain root privileges if that filesystem is mounted. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0109 to this issue.

Solar Designer from OpenWall discovered a minor information leak in the
ext3 filesystem code due to the lack of initialization of journal
descriptor blocks. This flaw has only minor security implications and
exploitation requires privileged access to the raw device. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0133 to this issue.

These packages also contain an updated fix with additional checks for
issues in the R128 Direct Render Infrastructure. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0003 to this issue.

Additionally, additional hardening of the mremap function was applied to
prevent a potential local denial of service attack.

The low latency patch applied in previous kernels has also been found
to cause stability problems under certain conditions. It has been disabled in
this update whilst further investigation occurs.

---------------------------------------------------------------------

* Tue Apr 13 2004 Dave Jones <davej at redhat.com>
- mremap NULL pointer dereference fix
- Disable low latency patch, pending investigation into crashes.
- Additional r128 DRM check. (CAN-2004-0003)
- Bounds checking in ISO9660 filesystem. (CAN-2004-0109)
- Fix Information leak in EXT3 (CAN-2004-0133)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

9e0765301b215adcfbfb207fbde7f01c  SRPMS/kernel-2.4.22-1.2179.nptl.src.rpm
727bbfa24367eb2a602af7d502ca1ba3  i386/kernel-source-2.4.22-1.2179.nptl.i386.rpm
e3af69505adeacc849653a1720cdd85a  i386/kernel-doc-2.4.22-1.2179.nptl.i386.rpm
34f130838275872d22cef3a16491bfe1  i386/kernel-BOOT-2.4.22-1.2179.nptl.i386.rpm
0d5b4b7e87f9bf78cc2949c5cb04cb83  i386/debug/kernel-debuginfo-2.4.22-1.2179.nptl.i386.rpm
6f2eeac856745d62204f2b74463aca2d  i386/kernel-2.4.22-1.2179.nptl.i586.rpm
18440652776236d4de387022f6b12e92  i386/debug/kernel-debuginfo-2.4.22-1.2179.nptl.i586.rpm
9db5f0316633462936ce6e18152d713d  i386/kernel-2.4.22-1.2179.nptl.i686.rpm
7444996499d1c8513978b37762ce8edd  i386/kernel-smp-2.4.22-1.2179.nptl.i686.rpm
73e9f302d5e1fd4e30a61212e9092fe3  i386/debug/kernel-debuginfo-2.4.22-1.2179.nptl.i686.rpm
45d41d4338a62a10430058639dfaa2aa  i386/kernel-2.4.22-1.2179.nptl.athlon.rpm
35995314b5df6c2babf90caf561fdabf  i386/kernel-smp-2.4.22-1.2179.nptl.athlon.rpm
7c3a503213ffb046caf4681ff3dcd1ca  i386/debug/kernel-debuginfo-2.4.22-1.2179.nptl.athlon.rpm
54b2796976b7549cc0a4134d78c7ad00  x86_64/kernel-2.4.22-1.2179.nptl.x86_64.rpm
398362a0fb8d8e74973333b73227cb91  x86_64/kernel-source-2.4.22-1.2179.nptl.x86_64.rpm
016feee2d5e018165c783383b814bc4d  x86_64/kernel-doc-2.4.22-1.2179.nptl.x86_64.rpm
b437cc1e0d29a0fe3ac32f2212ca3901  x86_64/kernel-smp-2.4.22-1.2179.nptl.x86_64.rpm
163aa338fb7064ce15b5e2562b3d44d4  x86_64/debug/kernel-debuginfo-2.4.22-1.2179.nptl.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------





More information about the announce mailing list