Advisories:rPSA-2006-0162

From rPath Wiki

rPath Security Advisory 2006-0162-2

Published: 2006-08-31

Updated

1. 2006-09-06 Repaired incorrect configuration

Products

• rPath Linux 1

Rating

Major

Exposure Level Classification

Local Root Deterministic Privilege Escalation

Updated Versions

• kernel=conary.rpath.com@rpl:1/2.6.17.11-1.1-1

rPath Issue Tracking System

• RPL-524
• RPL-611

References

• CVE-2006-2935
• CVE-2006-4145
• CVE-2006-3745

Description

Previous versions of the kernel package are subject to several

vulnerabilities. Certain malformed UDF filesystems can cause the

system to crash (denial of service). Malformed CDROM firmware or

USB storage devices (such as USB keys) could cause system crash

(denial of service), and if they were intentionally malformed, can

cause arbitrary code to run with elevated privileges. In addition,

the SCTP protocol is subject to a remote system crash (denial of

service) attack, but rPath Linux does not include the tools required

to configure the SCTP protocol, so rPath Linux is not configured

by default to be vulnerable to this attack.

5 September 2006 Update: The initial fix for these vulnerabilities

was built with a configuration error that disabled some features.

The latest version resolves this configuration error.

This update requires a system reboot to implement the fixes.

Copyright 2006 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html