kernel security update

CentOS Errata and Security Advisory CESA-2010:0936

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

• A flaw in sctp_packet_config() in the Linux kernel’s Stream Control
  Transmission Protocol (SCTP) implementation could allow a remote attacker
  to cause a denial of service. (CVE-2010-3432, Important)

• A missing integer overflow check in snd_ctl_new() in the Linux kernel’s
  sound subsystem could allow a local, unprivileged user on a 32-bit system
  to cause a denial of service or escalate their privileges. (CVE-2010-3442,
  Important)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442.

Bug fixes:

• Forward time drift was observed on virtual machines using PM
  timer-based kernel tick accounting and running on KVM or the Microsoft
  Hyper-V Server hypervisor. Virtual machines that were booted with the
  divider=x kernel parameter set to a value greater than 1 and that showed
  the following in the kernel boot messages were subject to this issue:

time.c: Using PM based timekeeping

Fine grained accounting for the PM timer is introduced which eliminates
this issue. However, this fix uncovered a bug in the Xen hypervisor,
possibly causing backward time drift. If this erratum is installed in Xen
HVM guests that meet the aforementioned conditions, it is recommended that
the host use kernel-xen-2.6.18-194.26.1.el5 or newer, which includes a fix
(BZ#641915) for the backward time drift. (BZ#629237)

• With multipath enabled, systems would occasionally halt when the
  do_cciss_request function was used. This was caused by wrongly-generated
  requests. Additional checks have been added to avoid the aforementioned
  issue. (BZ#640193)

• A Sun X4200 system equipped with a QLogic HBA spontaneously rebooted and
  logged a Hyper-Transport Sync Flood Error to the system event log. A
  Maximum Memory Read Byte Count restriction was added to fix this bug.
  (BZ#640919)

• For an active/backup bonding network interface with VLANs on top of it,
  when a link failed over, it took a minute for the multicast domain to be
  rejoined. This was caused by the driver not sending any IGMP join packets.
  The driver now sends IGMP join packets and the multicast domain is rejoined
  immediately. (BZ#641002)

• Replacing a disk and trying to rebuild it afterwards caused the system to
  panic. When a domain validation request for a hot plugged drive was sent,
  the mptscsi driver did not validate its existence. This could result in the
  driver accessing random memory and causing the crash. A check has been
  added that describes the newly-added device and reloads the iocPg3 data
  from the firmware if needed. (BZ#641137)

• An attempt to create a VLAN interface on a bond of two bnx2 adapters in
  two switch configurations resulted in a soft lockup after a few seconds.
  This was caused by an incorrect use of a bonding pointer. With this update,
  soft lockups no longer occur and creating a VLAN interface works as
  expected. (BZ#641254)

• Erroneous pointer checks could have caused a kernel panic. This was due
  to a critical value not being copied when a network buffer was duplicated
  and consumed by multiple portions of the kernel’s network stack. Fixing the
  copy operation resolved this bug. (BZ#642746)

• A typo in a variable name caused it to be dereferenced in either mkdir()
  or create() which could cause a kernel panic. (BZ#643342)

• SCSI high level drivers can submit SCSI commands which would never be
  completed when the device was offline. This was caused by a missing
  callback for the request to complete the given command. SCSI requests are
  now terminated by calling their callback when a device is offline.
  (BZ#644816)

• A kernel panic could have occurred on systems due to a recursive lock in
  the 3c59x driver. Recursion is now avoided and this kernel panic no longer
  occurs. (BZ#648407)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2011-January/079385.html
https://lists.centos.org/pipermail/centos-announce/2011-January/079386.html

Affected packages:
kernel
kernel-devel
kernel-doc
kernel-hugemem
kernel-hugemem-devel
kernel-largesmp
kernel-largesmp-devel
kernel-smp
kernel-smp-devel
kernel-xenU
kernel-xenU-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0936