Department of Earth & Atmospheric Sciences - Information Technology Website

Technology Update

February 5, 2008

Linux kernel update scheduled

Red Hat has released a kernel update to address several security issues. In order to maintain a secure computing environment, the EAS IT staff have scheduled an update for all EAS Linux machines. The update will begin at 2:00 AM on Wednesday, February 13. After the update is installed, a forced reboot will occur to begin using the new kernel. Users should take step to ensure that any running jobs will complete before the update process begins. The security issues addressed in this update are listed below. If you have any questions, or encounter any problems, please send an e-mail to eas-itap@purdue.edu.

A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important)

A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important)

A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important)

A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate)

A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate)

Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate)