(RHSA-2009:1635) Important: kernel-rt security, bug fix, and enhancement update

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

These updated packages fix the following security issues:

• a NULL pointer dereference flaw was found in the NFSv4 implementation in
  the Linux kernel. Several of the NFSv4 file locking functions failed to
  check whether a file had been opened on the server before performing
  locking operations on it. A local user on a system with an NFSv4 share
  mounted could possibly use this flaw to cause a denial of service or
  escalate their privileges. (CVE-2009-3726, Important)

• permission issues were found in the megaraid_sas driver (for SAS based
  RAID controllers) in the Linux kernel. The “dbg_lvl” and “poll_mode_io”
  files on the sysfs file system (“/sys/”) had world-writable permissions.
  This could allow local, unprivileged users to change the behavior of the
  driver. (CVE-2009-3889, CVE-2009-3939, Moderate)

These updated packages also fix the following bugs:

• a problem existed with the i5000_edac driver under some topologies. In
  some cases, this driver failed to export memory devices via sysfs,
  preventing the ibm-prtm service from starting. With this update, the memory
  devices are accessible, allowing the ibm-prtm service to start, and
  therefore perform SMI remediation as expected. (BZ#527421)

• the “/proc/sys/vm/mmap_min_addr” tunable helps prevent unprivileged
  users from creating new memory mappings below the minimum address. The
  sysctl value for mmap_min_addr could be changed by a process or user that
  has an effective user ID (euid) of 0, even if the process or user does not
  have the CAP_SYS_RAWIO capability. This update adds a capability check for
  the CAP_SYS_RAWIO capability before allowing the mmap_min_addr value to be
  changed. (BZ#534019)

As well, these updated packages add the following enhancements:

• the Intel ixgbe driver was updated to upstream version 2.0.16-k2.
  (BZ#537505)

• the InfiniBand OFED driver was updated to upstream version 1.4.1.
  (BZ#537500)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues and add these enhancements. The system must
be rebooted for this update to take effect.