Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Buffer overflow in format descriptor parsing in the uvc_parse_format
function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the
video4linux (V4L) implementation in the Linux kernel before 2.6.26.1
has unknown impact and attack vectors. (CVE-2008-3496)
The sbni_ioctl function in drivers/net/wan/sbni.c in the wan
subsystem in the Linux kernel 2.6.26.3 does not check for the
CAP_NET_ADMIN capability before processing a (1) SIOCDEVRESINSTATS,
(2) SIOCDEVSHWSTATE, (3) SIOCDEVENSLAVE, or (4) SIOCDEVEMANSIPATE
ioctl request, which allows local users to bypass intended capability
restrictions. (CVE-2008-3525)
Integer overflow in the sctp_setsockopt_auth_key function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows
remote attackers to cause a denial of service (panic) or possibly have
unspecified other impact via a crafted sca_keylength field associated
with the SCTP_AUTH_KEY option. (CVE-2008-3526)
The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream
Control Transmission Protocol (sctp) implementation in the Linux kernel
before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not
verify that the identifier index is within the bounds established by
SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive
information via a crafted SCTP_HMAC_IDENT IOCTL request involving
the sctp_getsockopt function, a different vulnerability than
CVE-2008-4113. (CVE-2008-4445)
Additionaly, fixes for sound on NEC Versa S9100 and others were added,
PATA and AHCI support for Intel ICH10 was added, a fix to allow better
disk transfer speeds was made for Hercules EC-900 mini-notebook,
a cyrus-imapd corruption issue in x86_64 arch was solved, RealTek
8169/8168/8101 support was improved, and a few other things. Check
the package changelog for details.
To update your kernel, please follow the directions located at:
http://www.mandriva.com/en/security/kernelupdate
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-3496
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-3526
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-3525
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-4445
https://qa.mandriva.com/35343
https://qa.mandriva.com/39048
_______________________________________________________________________
[ MDVSA-2008:223 ] kernel
Ensimmäinen lukematon viesti • 1 viesti
• Sivu 1/1
[ MDVSA-2008:223 ] kernel
Kirjoittaja dude67 » 01 Marras 2008, 09:24
1. Mageia-1 KDE4 x86_64 (& Win7 Pro) | desktop
2. Mageia-2 KDE4 (& Win7 Home Premium) | laptop Acer 7530
3. Mageia-1 KDE4 (& Win7 Starter) | Samsung NC-10 miniläppäri
4. Mageia-1 KDE4 | serverinä toimiva desktop
Luotettavaa Linux käyttöä jo Mandriva 2006.0:sta lähtien
-
dude67 - Site Admin
- Viestit: 2256
- Liittynyt: 27 Syys 2007, 16:58
- Paikkakunta: Espoo
1 viesti
• Sivu 1/1
Paluu Mandrivan turvallisuustiedotteet
Paikallaolijat
Käyttäjiä lukemassa tätä aluetta: Ei rekisteröityneitä käyttäjiä ja 44 vierailijaa