win32sux |
11-19-2006 04:49 AM |
Linux 2.6.16.31/32 (Late Notification)
I missed the last two releases for the 2.6.16.y branch. =/
2.6.16.31 was released the 7th, while 2.6.16.32 was released the 15th.
Both releases addressed security vulnerabilities.
For 2.6.16. 31:
Quote:
[NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header
matches.
When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.
|
Quote:
[NETFILTER]: Fix ip6_tables protocol bypass bug (CVE-2006-4572)
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.
When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
|
Quote:
[IPV6]: fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)
There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
after finding a flowlabel, the code will loop forever not finding any
further flowlabels, first traversing the rest of the hash bucket then just
looping.
This patch fixes the problem by breaking after the hash bucket has been
traversed.
Note that this bug can cause lockups and oopses, and is trivially invoked
by an unpriveleged user.
|
Quote:
[S390] fix user readable uninitialised kernel memory (CVE-2006-5174)
A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
|
ChangeLog | CVE-2006-4572 | CVE-2006-5619 | CVE-2006-5174
For 2.6.16. 32:
Quote:
ia64/sparc: fix local DoS with corrupted ELFs (CVE-2006-4538)
This patch prevents cross-region mappings
on IA64 and SPARC which could lead to system crash.
|
ChangeLog | CVE-2006-4538
|