[Security Announce] [ MDKSA-2006:150 ] - Updated kernel packages fix multiple vulnerabilities
Posted on: 08/25/2006 09:45 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

Hash: SHA1


Mandriva Linux Security Advisory MDKSA-2006:150

Package : kernel
Date : August 25, 2006
Affected: Corporate 3.0, Multi Network Firewall 2.0

Problem Description:

A number of vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Prior to, the kerenl allowed local users to obtain sensitive
information via a crafted XFS ftruncate call (CVE-2006-0554).

Prior to, the kernel did not properly handle uncanonical
return addresses on Intel EM64T CPUs causing the kernel exception
handler to run on the user stack with the wrong GS (CVE-2006-0744).

ip_conntrack_core.c in the 2.6 kernel, and possibly
nf_conntrack_l3proto_ipv4.c did not clear sockaddr_in.sin_zero before
returning IPv4 socket names from the getsockopt function with
SO_ORIGINAL_DST, which could allow local users to obtain portions of
potentially sensitive memory (CVE-2006-1343).

Prior to, the a buffer overflow in SCTP in the kernel allowed
remote attackers to cause a Denial of Service (crash) and possibly
execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857).

Prior to, SCTP in the kernel allowed remote attackers to
cause a DoS (crash) and possibly execute arbitrary code via a chunk
length that is inconsistent with the actual length of provided
parameters (CVE-2006-1858).

Prior to 2.6.16, a directory traversal vulnerability in CIFS could
allow a local user to escape chroot restrictions for an SMB-mounted
filesystem via "..\\\\" sequences (CVE-2006-1863).

Prior to 2.6.16, a directory traversal vulnerability in smbfs could
allow a local user to escape chroot restrictions for an SMB-mounted
filesystem via "..\\\\" sequences (CVE-2006-1864).

Prior to 2.6.17, Linux SCTP allowed a remote attacker to cause a DoS
(infinite recursion and crash) via a packet that contains two or more
DATA fragments, which caused an skb pointer to refer back to itself
when the full message is reassembled, leading to an infinite recursion
in the sctp_skb_pull function (CVE-2006-2274).

The dvd_read_bca function in the DVD handling code assigns the wrong
value to a length variable, which could allow local users to execute
arbitrary code via a crafted USB storage device that triggers a buffer
overflow (CVE-2006-2935).

Prior to 2.6.17, the ftdi_sio driver could allow local users to cause
a DoS (memory consumption) by writing more data to the serial port than
the hardware can handle, causing the data to be queued (CVE-2006-2936).

The 2.6 kernel, when using both NFS and EXT3, allowed remote attackers
to cause a DoS (file system panic) via a crafted UDP packet with a V2
lookup procedure that specifies a bad file handle (inode number),
triggering an error and causing an exported directory to be remounted
read-only (CVE-2006-3468).

The 2.6 kernel's SCTP was found to cause system crashes and allow for
the possibility of local privilege escalation due to a bug in the
get_user_iov_size() function that doesn't properly handle overflow when
calculating the length of iovec (CVE-2006-3745).

The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels immediately
and reboot to effect the fixes.

To update your kernel, please follow the directions located at:




Updated Packages:

Corporate 3.0:
9d14c43145beafb4e63fe8cae758d0f6 corporate/3.0/RPMS/kernel-
e7331f51ed5cf4edee33efcb01f49243 corporate/3.0/RPMS/kernel-BOOT-
dcb027450192d7d73f407f30d3e3e852 corporate/3.0/RPMS/kernel-enterprise-
59f29ace5cc862c84cace5d046d6302e corporate/3.0/RPMS/kernel-i686-up-4GB-
6b062c5059587a927f31fea04fb91a3a corporate/3.0/RPMS/kernel-p3-smp-64GB-
744287198a20913bd38b1c1d37a68bd2 corporate/3.0/RPMS/kernel-secure-
17780ad90f4989615baab5f115074f8a corporate/3.0/RPMS/kernel-smp-
4555bac09b7ce50d83b97c47af0b2724 corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.i586.rpm
7165754462cdfcd92c894f56623bc8b0 corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.i586.rpm
e59db387f0642f5293dc60283832557b corporate/3.0/SRPMS/kernel-

Corporate 3.0/X86_64:
918a70fe836d900b217f442b5208c779 x86_64/corporate/3.0/RPMS/kernel-
dd1ea77b15bd07c75f5ab7caf00dbde0 x86_64/corporate/3.0/RPMS/kernel-BOOT-
c8964849f4142c2c51c3ddd298513753 x86_64/corporate/3.0/RPMS/kernel-secure-
7a98664c4ba5f0d50a500c1158a8fb08 x86_64/corporate/3.0/RPMS/kernel-smp-
3c4d5ca4f7a1a91d99fc182e499c9e76 x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.x86_64.rpm
a25c6705ba2b70c85c1c86e68cb0d3cd x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.x86_64.rpm
e59db387f0642f5293dc60283832557b x86_64/corporate/3.0/SRPMS/kernel-

Multi Network Firewall 2.0:
5cab4be7c19a67689f33f01de208879e mnf/2.0/RPMS/kernel-
ee1db88c9010b3a1af0f5ea93ce86505 mnf/2.0/RPMS/kernel-i686-up-4GB-
0e3618eec1dcb5bca817ecec7e912836 mnf/2.0/RPMS/kernel-p3-smp-64GB-
ded09245567203340c86b3ddacf21b3a mnf/2.0/RPMS/kernel-secure-
7efdc84f2748f1c2237a72ef94d90b31 mnf/2.0/RPMS/kernel-smp-
d12744fdab6bf6606ed13fae69b51f50 mnf/2.0/SRPMS/kernel-

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:


If you want to report vulnerabilities, please contact


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.2.2 (GNU/Linux)


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006150__updated_kernel_packages_fix_multiple_vulnerabilities.html)