(RHSA-2011:1386) Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

• The maximum file offset handling for ext4 file systems could allow a
  local, unprivileged user to cause a denial of service. (CVE-2011-2695,
  Important)

• IPv6 fragment identification value generation could allow a remote
  attacker to disrupt a target system’s networking, preventing legitimate
  users from accessing its services. (CVE-2011-2699, Important)

• A malicious CIFS (Common Internet File System) server could send a
  specially-crafted response to a directory read request that would result in
  a denial of service or privilege escalation on a system that has a CIFS
  share mounted. (CVE-2011-3191, Important)

• A local attacker could use mount.ecryptfs_private to mount (and then
  access) a directory they would otherwise not have access to. Note: To
  correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be
  installed. (CVE-2011-1833, Moderate)

• A flaw in the taskstats subsystem could allow a local, unprivileged user
  to cause excessive CPU time and memory use. (CVE-2011-2484, Moderate)

• Mapping expansion handling could allow a local, unprivileged user to
  cause a denial of service. (CVE-2011-2496, Moderate)

• GRO (Generic Receive Offload) fields could be left in an inconsistent
  state. An attacker on the local network could use this flaw to cause a
  denial of service. GRO is enabled by default in all network drivers that
  support it. (CVE-2011-2723, Moderate)

• RHSA-2011:1065 introduced a regression in the Ethernet bridge
  implementation. If a system had an interface in a bridge, and an attacker
  on the local network could send packets to that interface, they could cause
  a denial of service on that system. Xen hypervisor and KVM (Kernel-based
  Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942,
  Moderate)

• A flaw in the Xen hypervisor IOMMU error handling implementation could
  allow a privileged guest user, within a guest operating system that has
  direct control of a PCI device, to cause performance degradation on the
  host and possibly cause it to hang. (CVE-2011-3131, Moderate)

• IPv4 and IPv6 protocol sequence number and fragment ID generation could
  allow a man-in-the-middle attacker to inject packets and possibly hijack
  connections. Protocol sequence number and fragment IDs are now more random.
  (CVE-2011-3188, Moderate)

• A flaw in the kernel’s clock implementation could allow a local,
  unprivileged user to cause a denial of service. (CVE-2011-3209, Moderate)

• Non-member VLAN (virtual LAN) packet handling for interfaces in
  promiscuous mode and also using the be2net driver could allow an attacker
  on the local network to cause a denial of service. (CVE-2011-3347,
  Moderate)

• A flaw in the auerswald USB driver could allow a local, unprivileged user
  to cause a denial of service or escalate their privileges by inserting a
  specially-crafted USB device. (CVE-2009-4067, Low)

• A flaw in the Trusted Platform Module (TPM) implementation could allow a
  local, unprivileged user to leak information to user space. (CVE-2011-1160,
  Low)

• A local, unprivileged user could possibly mount a CIFS share that
  requires authentication without knowing the correct password if the mount
  was already mounted by another local user. (CVE-2011-1585, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; the Ubuntu Security Team for
reporting CVE-2011-1833; Vasiliy Kulikov of Openwall for reporting
CVE-2011-2484; Robert Swiecki for reporting CVE-2011-2496; Brent Meshier
for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188;
Yasuaki Ishimatsu for reporting CVE-2011-3209; Somnath Kotur for reporting
CVE-2011-3347; Rafael Dominguez Vega for reporting CVE-2009-4067; and Peter
Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges
Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of
CVE-2011-1833.