[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ MDVSA-2015:027 ] kernel



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:027
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : January 16, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:
 
 The SCTP implementation in the Linux kernel before 3.17.4 allows
 remote attackers to cause a denial of service (memory consumption) by
 triggering a large number of chunks in an association's output queue,
 as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and
 net/sctp/sm_statefuns.c (CVE-2014-3688=.
 
 Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux
 kernel before 3.16.3, allows remote attackers to cause a denial of
 service (memory corruption and panic) or possibly have unspecified
 other impact via a long unencrypted auth ticket (CVE-2014-6416).
 
 net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3,
 does not properly consider the possibility of kmalloc failure, which
 allows remote attackers to cause a denial of service (system crash)
 or possibly have unspecified other impact via a long unencrypted auth
 ticket (CVE-2014-6417).
 
 net/ceph/auth_x.c in Ceph, as used in the Linux kernel before
 3.16.3, does not properly validate auth replies, which allows remote
 attackers to cause a denial of service (system crash) or possibly
 have unspecified other impact via crafted data from the IP address
 of a Ceph Monitor (CVE-2014-6418).
 
 The sctp_process_param function in net/sctp/sm_make_chunk.c in the
 SCTP implementation in the Linux kernel before 3.17.4, when ASCONF
 is used, allows remote attackers to cause a denial of service (NULL
 pointer dereference and system crash) via a malformed INIT chunk
 (CVE-2014-7841).
 
 Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4
 allows guest OS users to cause a denial of service (guest OS crash)
 via a crafted application that performs an MMIO transaction or a
 PIO transaction to trigger a guest userspace emulation error report,
 a similar issue to CVE-2010-5313 (CVE-2014-7842).
 
 arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation
 in the Linux kernel through 3.18.1 allows local users to bypass the
 espfix protection mechanism, and consequently makes it easier for
 local users to bypass the ASLR protection mechanism, via a crafted
 application that makes a set_thread_area system call and later reads
 a 16-bit value (CVE-2014-8133).
 
 Stack-based buffer overflow in the
 ttusbdecfe_dvbs_diseqc_send_master_cmd function in
 drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before
 3.17.4 allows local users to cause a denial of service (system crash)
 or possibly gain privileges via a large message length in an ioctl call
 (CVE-2014-8884).
 
 The do_double_fault function in arch/x86/kernel/traps.c in the Linux
 kernel through 3.17.4 does not properly handle faults associated with
 the Stack Segment (SS) segment register, which allows local users
 to cause a denial of service (panic) via a modify_ldt system call,
 as demonstrated by sigreturn_32 in the linux-clock-tests test suite
 (CVE-2014-9090).
 
 arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does
 not properly handle faults associated with the Stack Segment (SS)
 segment register, which allows local users to gain privileges by
 triggering an IRET instruction that leads to access to a GS Base
 address from the wrong space (CVE-2014-9322).
 
 The __switch_to function in arch/x86/kernel/process_64.c in the Linux
 kernel through 3.18.1 does not ensure that Thread Local Storage (TLS)
 descriptors are loaded before proceeding with other steps, which makes
 it easier for local users to bypass the ASLR protection mechanism via
 a crafted application that reads a TLS base address (CVE-2014-9419).
 
 The rock_continue function in fs/isofs/rock.c in the Linux kernel
 through 3.18.1 does not restrict the number of Rock Ridge continuation
 entries, which allows local users to cause a denial of service
 (infinite loop, and system crash or hang) via a crafted iso9660 image
 (CVE-2014-9420).
 
 Race condition in the key_gc_unused_keys function in security/keys/gc.c
 in the Linux kernel through 3.18.2 allows local users to cause a denial
 of service (memory corruption or panic) or possibly have unspecified
 other impact via keyctl commands that trigger access to a key structure
 member during garbage collection of a key (CVE-2014-9529).
 
 The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in
 the Linux kernel before 3.18.2 does not validate a length value in
 the Extensions Reference (ER) System Use Field, which allows local
 users to obtain sensitive information from kernel memory via a crafted
 iso9660 image (CVE-2014-9584).
 
 The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel
 through 3.18.2 does not properly choose memory locations for the
 vDSO area, which makes it easier for local users to bypass the ASLR
 protection mechanism by guessing a location at the end of a PMD
 (CVE-2014-9585).
 
 The updated packages provides a solution for these security issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3688
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6416
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6417
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6418
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7841
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7842
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8133
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8884
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9090
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9419
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9584
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9585
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 84b2f7fd994f5ed9738484492cf1f6fb  mbs1/x86_64/cpupower-3.4.105-2.1.mbs1.x86_64.rpm
 3b7822069fb7f64c5954038f2a352816  mbs1/x86_64/kernel-firmware-3.4.105-2.1.mbs1.noarch.rpm
 137bd01930fe4bdc9d1b7f095fd3237e  mbs1/x86_64/kernel-headers-3.4.105-2.1.mbs1.x86_64.rpm
 66eb79923df892f0492dc8b4011e3f47  mbs1/x86_64/kernel-server-3.4.105-2.1.mbs1.x86_64.rpm
 6f24362ea683103e480874c2ff93407a  mbs1/x86_64/kernel-server-devel-3.4.105-2.1.mbs1.x86_64.rpm
 36aee1a085a5083200a7ffbd5da543f6  mbs1/x86_64/kernel-source-3.4.105-2.mbs1.noarch.rpm
 93aef55bcc1f02263e07541db93b45ce  mbs1/x86_64/lib64cpupower0-3.4.105-2.1.mbs1.x86_64.rpm
 f73d1f80d3d0db90a63d3889b71cc60f  mbs1/x86_64/lib64cpupower-devel-3.4.105-2.1.mbs1.x86_64.rpm
 854eb4e04b196c33441ce932ba48dfc7  mbs1/x86_64/perf-3.4.105-2.1.mbs1.x86_64.rpm 
 4727802fbd1d77523b157b7fd36177ea  mbs1/SRPMS/cpupower-3.4.105-2.1.mbs1.src.rpm
 1f2e120416115a646e0026e6079ac9df  mbs1/SRPMS/kernel-firmware-3.4.105-2.1.mbs1.src.rpm
 cf4f1bbc72cb9369162703efa7b5adc3  mbs1/SRPMS/kernel-headers-3.4.105-2.1.mbs1.src.rpm
 145c57c74bc2346e9435284873062057  mbs1/SRPMS/kernel-server-3.4.105-2.1.mbs1.src.rpm
 7154bb874ff6fd31772fa2e03fc0a186  mbs1/SRPMS/kernel-source-3.4.105-2.mbs1.src.rpm
 acd00535b878c07c70ac0b2680d1b9cc  mbs1/SRPMS/perf-3.4.105-2.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUuULOmqjQ0CJFipgRAmTfAJ40ZrILR8XPoduEMKuokkZuOV2rXwCg424o
PM+ddh+qKQrHCeweXyb+AdU=
=zMRK
-----END PGP SIGNATURE-----