Bug 522331 (CVE-2009-2903)
Summary: | CVE-2009-2903 kernel: appletalk: denial of service when handling IP tunnelled over DDP datagrams | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | acme, bhu, davej, davem, dhoward, jlieskov, kyle, lgoncalv, lwang, pmatouse, rcvalle, security-response-team, tcallawa, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-03-28 08:10:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 522344, 522345 | ||
Bug Blocks: |
Description
Eugene Teo (Security Response)
2009-09-10 05:46:11 UTC
This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise MRG. It is also available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel updates in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG may address this issue. Before updates are applied, it is possible to reduce the risk and mitigate this flaw by: * ensuring that both the appletalk and the ipddp modules are loaded, and remain loaded. The "ipddp0" device is automatically created by the ipddp module, causing the packets to be forwarded onto the IP protocol handling code, and thus avoiding the vulnerability as it only happens when this device does not exist. or * disabling the appletalk module, and ensuring that it cannot be loaded. The steps outlined below will not work if the module is already loaded. If the module is loaded and cannot be removed, for example, via "modprobe -r", a reboot will be required before the change takes effect. The "install" command is used to direct the system to run the "/bin/true" command instead of inserting the module if it is called. Red Hat Enterprise Linux 3 Add the following entry to the end of the /etc/modules.conf file: install appletalk /bin/true Note: The kernel-unsupported package provides the appletalk module. This module is not available if you do not have kernel-unsupported installed. Red Hat Enterprise MRG Add the following entry to the end of the /etc/modprobe.conf file: install appletalk /bin/true Updated: Sept 17th, 2009 Upstream commit: http://git.kernel.org/linus/ffcfb8db540ff879c2a85bf7e404954281443414 CVE request: http://article.gmane.org/gmane.comp.security.oss.general/2100 Note, the next kernel update for Red Hat Enterprise MRG will not have support for the AppleTalk protocol. See bug 522503. kernel-2.6.27.35-170.2.94.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.35-170.2.94.fc10 kernel-2.6.27.35-170.2.94.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. kernel-2.6.30.9-90.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.9-90.fc11 kernel-2.6.30.9-90.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |