(RHSA-2014:0800) Important: kernel security update

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

• A flaw was found in the way the Linux kernel’s futex subsystem handled
  the requeuing of certain Priority Inheritance (PI) futexes. A local,
  unprivileged user could use this flaw to escalate their privileges on the
  system. (CVE-2014-3153, Important)

• A flaw was found in the way the Linux kernel’s floppy driver handled user
  space provided data in certain error code paths while processing FDRAWCMD
  IOCTL commands. A local user with write access to /dev/fdX could use this
  flaw to free (using the kfree() function) arbitrary kernel memory.
  (CVE-2014-1737, Important)

• It was found that the Linux kernel’s floppy driver leaked internal kernel
  memory addresses to user space during the processing of the FDRAWCMD IOCTL
  command. A local user with write access to /dev/fdX could use this flaw to
  obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)

Note: A local user with write access to /dev/fdX could use these two flaws
(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their
privileges on the system.

Red Hat would like to thank Kees Cook of Google for reporting
CVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and
CVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of
CVE-2014-3153.

All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.