[wanger en redhat com: SECURITY (UPDATED): Kernel updates]

To: linux en athena nuclecu unam mx
Subject: [wanger en redhat com: SECURITY (UPDATED): Kernel updates]
From: Miguel de Icaza <miguel en nuclecu unam mx>
Date: Mon, 20 Apr 1998 13:14:59 -0500
Sender: owner-linux en nuclecu unam mx
------- Start of forwarded message -------
Return-Path: <redhat-announce-list-request en redhat com>
Resent-Cc: recipient list not shown: ;
MBOX-Line: From redhat-announce-list-request en redhat com  Sat Apr 18 17:13:50 1998
X-Mailer: exmh version 2.0.2 26.3.98
To: redhat-announce-list en redhat com
Approved: ewt en redhat com
Subject: SECURITY (UPDATED): Kernel updates
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 18 Apr 1998 17:12:11 -0300
From: Mike Wangsmo <wanger en redhat com>
Resent-From: redhat-announce-list en redhat com
Reply-To: redhat-list en redhat com
X-Mailing-List: <redhat-announce-list en redhat com> archive/latest/25
X-Loop: redhat-announce-list en redhat com
Precedence: list
Resent-Sender: redhat-announce-list-request en redhat com
X-URL: http://www.redhat.com

There was a mistake in the 4.2 Intel packages that were released 
yesterday.  This announcement is to announce a new version of the 4.2 
Intel kernel packages.  The ones released yesterday do NOT prevent the 
IP-FRAG attack.  None of the other Red Hat versions/architectures are 
affected by this update.

Red Hat apologizes for this mistake and any inconveniences incurred 
because of it.

The updated 4.2 kernel packages are on ftp.redhat.com and are located 
in /pub/redhat/updates/4.2/i386

If you already upgraded to the packages announced yesterday, all that 
is necessary is to upgrade the kernel core package, not the modules.

kernel-2.0.32-1.2.i386.rpm
kernel-modules-2.0.32-1.2.i386.rpm
kernel-headers-2.0.32-1.2.i386.rpm
kernel-source-2.0.32-1.2.i386.rpm

Mike

- -------------------------------
Original announcement follows:

- --------------------------------------------------------------

A denial of service attack in the TCP/IP code has been discovered with the 
current Red Hat kernels on all platforms and versions.  Red Hat 
suggests that all users upgrade their kernel to one that has been 
patched against this attack.  The packages have been signed with the 
Red Hat PGP key.

The required change in the form of a patch is included within this 
announcement.

Kernel images were not built for the alpha, however the source package 
is available for building on your respective alpha platform.  The enclosed 
patch (at the end of this announcement) can also be applied to a clean 
kernel tree to avoid downloading the entire source package.

Thanks to Alan Cox for the fix.

Mike

Red Hat 5.0
- - -----------

i386:

First, determine what kernel version you are running:  rpm -q kernel
If the output of that indicates you have a 2.0.32 kernel package 
installed, then you need only upgrade the core kernel package:

rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/kernel-2.0.32-3.i386.rpm

If you are not running the 2.0.32 kernel package, then you need to also 
upgrade the modules package as well.  This can be complicated, but the 
procedure has been very clearly documented at 
http://www.redhat.com/support/docs/rhl/intel/kernel-upgrade-intel.html
Please read that before attempting to upgrade your kernel!  It is 
titled for the 4.2 release, but the instructions are the same for 
upgrading a 5.0 kernel.  The only differences will be kernel version 
numbers.  The module package can be upgraded via:

rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/kernel-modules-2.0.32-3.i386.rpm

alpha:

Compiled kernels for the alpha were not built, but both the patch has 
been included in this announcement and the kernel source rpm has been 
released with the patch applied.  If you have a clean kernel tree 
already installed, apply the patch as follows:

copy the patch to /tmp/kernel.patch
cd /usr/src/linux
patch -p1 < /tmp/kernel.patch

The kernel source tree should now be patched and ready to build.

To install the kernel sources:

rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/kernel-source-2.0.30-3.alpha.rp
m
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/kernel-headers-2.0.30-3.alpha.r
pm

cd /usr/src/linux

This tree is already patched and ready to build a new kernel.

Red Hat 4.2
- - -----------

i386:

First, determine what kernel version you are running:  rpm -q kernel
If the output of that indicates you have a 2.0.32 kernel package 
installed, then you need only upgrade the core kernel package:

rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/kernel-2.0.32-1.1.i386.rpm

If you are not running the 2.0.32 kernel package, then you need to also 
upgrade the modules package as well.  This can be complicated, but the 
procedure has been very clearly documented at 
http://www.redhat.com/support/docs/rhl/intel/kernel-upgrade-intel.html
Please read that before attempting to upgrade your kernel!  It is 
titled for the 4.2 release, but the instructions are the same for 
upgrading a 5.0 kernel.  The only differences will be kernel version 
numbers.  The module package can be upgraded via:

rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/kernel-modules-2.0.32-1.1.i386.r
pm

alpha:

Compiled kernels for the alpha were not built, but both the patch has 
been included in this announcement and the kernel source rpm has been 
released with the patch applied.  The same kernel source/header RPMs 
used in 5.0 will work on the 4.2 system.  If you have a clean kernel tree 
already installed, apply the patch as follows:

copy the patch to /tmp/kernel.patch
cd /usr/src/linux
patch -p1 < /tmp/kernel.patch

The kernel source tree should now be patched and ready to build.

To install the kernel sources:

rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/kernel-source-2.0.30-3.alpha.rp
m
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/kernel-headers-2.0.30-3.alpha.r
pm

cd /usr/src/linux

This tree is already patched and ready to build a new kernel.

SPARC:

First, determine what kernel version you are running:  rpm -q kernel
If the output of that indicates you have a 2.0.30 kernel package 
installed, then you need only upgrade the core kernel package:

For single CPU:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/kernel-sparc-2.0.30-4.sparc.rpm
For SMP:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/kernel-sparc-smp-2.0.30-4.sparc
.rpm

If you are not running the 2.0.30 kernel package, then you need to also 
upgrade the modules package as well.  This can be complicated, but the 
procedure has been very clearly documented at 
http://www.redhat.com/support/docs/rhl/intel/kernel-upgrade-intel.html
Please read that before attempting to upgrade your kernel!  Although 
this document is intel based, the same logic applies to the SPARC 
systems.  The module package can be upgraded via:

rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/kernel-modules-2.0.30-4.sparc.r
pm


Patch file
- - ----------

- - --- linux/net/ipv4/ip_fragment.c.wanger Fri Apr 17 13:43:28 1998
+++ linux/net/ipv4/ip_fragment.c        Fri Apr 17 13:43:52 1998
@@ -375,7 +375,7 @@
        fp = qp->fragments;
        while(fp != NULL)
        {
- - -               if (fp->len < 0 || count+fp->len > skb->len)
+               if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len)
                {
                        NETDEBUG(printk("Invalid fragment list: Fragment over s
ize.\n"));
                        ip_free(qp);


- - -- 
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request en redhat com < /dev/null


- ------- End of Forwarded Message



- -- 
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request en redhat com < /dev/null
------- End of forwarded message -------
Previo por Fecha: Que onda con mrproper???? y algunas cosillas mas
Siguiente por Fecha: [wanger en redhat com: SECURITY - glibc]
Previo por Hilo: Que onda con mrproper???? y algunas cosillas mas
Siguiente por Hilo: [wanger en redhat com: SECURITY - glibc]
[Hilos de Discusión] [Fecha] [Tema] [Autor]