From: secure@conectiva.com.br
To: conectiva-updates@papaleguas.conectiva.com.br,
linuxlist@securityportal.com, lwn@lwn.net, bugtraq@securityfocus.com,
security-alerts@linuxsecurity.com
Subject: [CLA-2001:432] Conectiva Linux Security Announcement - kernel
Date: Fri, 2 Nov 2001 17:43:05 -0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : kernel
SUMMARY : Several kernel vulnerabilities
DATE : 2001-11-02 17:42:00
ID : CLA-2001:432
RELEVANT
RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0
- -------------------------------------------------------------------------
DESCRIPTION
This announcement addresses several vulnerabilities in the linux
kernel:
1) Rafal Wojtczuk reported[1] two vulnerabilities[2][3] in the 2.2
and 2.4 series of the linux kernel. The first vulnerability allows a
local attacker to obtain root privileges. Working exploits have
already been published.
2) The second vulnerability reported by Rafal Wojtczuk allows a local
user to execute a DoS attack by creating several deep symlinks. This
will cause the kernel to spend almost an arbitrary amount of time on
dereferencing a single symlink and prevent processes from running.
3) Another vulnerability was discovered by Manfred Spraul and
reported to Andi Kleen from SuSe. If syncookies are enabled and being
sent by the kernel (during a synflood attack, for example), a remote
attacker could initiate connections to ports protected by simple
firewall rules such as the ones only filtering SYN packets. Because
of the syncookies, the remote attacker doesn't have to send SYN
packets to initiate the connection, only ACK ones, *but* with the
correct magic cookie. In order to find the correct cookie, an
attacker has to explore about 16 million values (2^24), which can be
done in a few hours on a fast link.
Use the following command to check if syncookies are enabled on your
system:
sysctl net.ipv4.tcp_syncookies
A return value of "1" indicates that syncookies are enabled. To
disable syncookies, execute the following as root:
sysctl -w net.ipv4.tcp_syncookies=0
On versions of the distribution that do not have the sysctl command,
the following can be used to deactivate syncookies:
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
And, to read the present value:
cat /proc/sys/net/ipv4/tcp_syncookies
The default for Conectiva Linux is to have the syncookies protection
enabled at boot time. To change this behaviour, please edit the
/etc/sysctl.conf file.
The fix for the this vulnerability was provided by Andi Kleen with
contributions from Dave Miller and Solar Designer. We would also like
to thank Marcus Meissner for a good insight on the problem.
The announcement of this vulnerability was coordinated with several
other GNU/Linux distributions.
4) Chris Wilson reported[4] a vulnerability[5] in the MAC filtering
code of netfilter (kernel-2.4). An attacker could bypass MAC
filtering rules by using fragmented packets.
This vulnerability was also independently verified by Erick C.
Jones[6] and Miklos Szeredi[7].
This update also fixes a problem with the "aacraid" module, which can
now be used with the Dell PowerEdge Expandable RAID Controller 3/Di.
SOLUTION
All users should upgrade the kernel immediately.
IMPORTANT: it is not possible to use apt to apply kernel updates.
These packages have to be updated manually. Generic kernel update
instructions can be found at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
Kernel-2.2. users with Conectiva Linux 5.1, 6.0 or 7.0 should also
upgrade the drbd package if it is being used. This upgrade can be
made with apt as usual.
REFERENCES
1. http://www.securityfocus.com/archive/1/221337
2. http://www.securityfocus.com/bid/3447 (ptrace)
3. http://www.securityfocus.com/bid/3444 (symlink DoS)
4.
http://lists.samba.org/pipermail/netfilter-devel/2001-August/002050.html
5. http://www.securityfocus.com/bid/3418 (MAC netfilter)
6.
http://lists.samba.org/pipermail/netfilter-devel/2001-August/002050.html
7.
http://lists.samba.org/pipermail/netfilter-devel/2001-September/002278.html
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/kernel-2.2.19-25U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/kernel-headers-2.2.19-25U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/kernel-smp-2.2.19-25U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/kernel-BOOT-2.2.19-25U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/kernel-ibcs-2.2.19-25U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/kernel-doc-2.2.19-25U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/kernel-source-2.2.19-25U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/kernel-2.2.19-25U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i586/kernel-smp-2.2.19-25U50_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i586/kernel-2.2.19-25U50_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i686/kernel-2.2.19-25U50_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i686/kernel-smp-2.2.19-25U50_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i686/kernel-enterprise-2.2.19-25U50_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/kernel-2.2.19-25U51_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/drbd-utils-0.5.8-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/kernel-smp-2.2.19-25U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/kernel-headers-2.2.19-25U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/kernel-source-2.2.19-25U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/kernel-ibcs-2.2.19-25U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/kernel-BOOT-2.2.19-25U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/kernel-doc-2.2.19-25U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/kernel-2.2.19-25U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i586/kernel-smp-2.2.19-25U51_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i586/kernel-2.2.19-25U51_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i686/kernel-smp-2.2.19-25U51_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i686/kernel-enterprise-2.2.19-25U51_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i686/kernel-2.2.19-25U51_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/drbd-utils-0.5.8-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/drbd-utils-heartbeat-0.5.8-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/kernel-2.2.19-25U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/drbd-utils-0.5.8-1U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-enterprise-2.2.19-25U60_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-smp-2.2.19-25U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-2.2.19-25U60_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-headers-2.2.19-25U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-smp-2.2.19-25U60_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-2.2.19-25U60_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-ibcs-2.2.19-25U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-2.2.19-25U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-BOOT-2.2.19-25U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-doc-2.2.19-25U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-smp-2.2.19-25U60_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kernel-source-2.2.19-25U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/drbd-utils-0.5.8-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/drbd-utils-heartbeat-0.5.8-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/kernel-2.2.19-25U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/drbd-utils-0.5.8-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/drbd-utils-0.5.8-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/drbd-utils-heartbeat-0.5.8-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-ibcs-2.2.19-25U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-enterprise-2.2.19-25U70_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.2.19-25U70_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.2.19-25U70_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.2.19-25U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.2.19-25U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.2.19-25U70_2cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-source-2.2.19-25U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.2.19-25U70_2cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-headers-2.2.19-25U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-doc-2.2.19-25U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-BOOT-2.2.19-25U70_2cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE74vdI42jd0JmAcZARAmvlAKDBVNT/923NVIbVjv530aNW9dfcXwCgm+hi
vgrRrVHF42p0mkR/zDFGF8M=
=UMhb
-----END PGP SIGNATURE-----