Oracle Releases Multiple Security Updates, Enterprise Linux Patched
Oracle Corporation (NasdaqGS: ORCL) has released the software behemoths’ end-o-the-week-expect-us-to-patch-all-weekend Enterprise Linux security patches; there’s something for everyone here, but lest I wax loquacious, I will let the release notifications speak for themselves. One note though: these are rather serious updates, and we suggest thorough testing before deployment. The updates to Oracle’s Enterprise Linux operating system are available via the company’s Unbreakable Linux Network (ULN) site. Oracle Enterprise Linux is a variant of RED HAT, INC.’s (NYSE: RHT) Red Hat Enterprise Linux OS. Additional information inclusive of release notes and linkage may be accessed after the jump.
Enterprise Linux Security Advisory ELSA-2009-1541
https://rhn.redhat.com/errata/RHSA-2009-1541.html
The following updated rpms for Enterprise Linux 4 have been uploaded to the Unbreakable Linux Network:
i386:
kernel-2.6.9-89.0.16.0.1.EL.i686.rpm
kernel-devel-2.6.9-89.0.16.0.1.EL.i686.rpm
kernel-doc-2.6.9-89.0.16.0.1.EL.noarch.rpm
kernel-hugemem-2.6.9-89.0.16.0.1.EL.i686.rpm
kernel-hugemem-devel-2.6.9-89.0.16.0.1.EL.i686.rpm
kernel-smp-2.6.9-89.0.16.0.1.EL.i686.rpm
kernel-smp-devel-2.6.9-89.0.16.0.1.EL.i686.rpm
kernel-xenU-2.6.9-89.0.16.0.1.EL.i686.rpm
kernel-xenU-devel-2.6.9-89.0.16.0.1.EL.i686.rpm
x86_64:
kernel-2.6.9-89.0.16.0.1.EL.x86_64.rpm
kernel-devel-2.6.9-89.0.16.0.1.EL.x86_64.rpm
kernel-doc-2.6.9-89.0.16.0.1.EL.noarch.rpm
kernel-largesmp-2.6.9-89.0.16.0.1.EL.x86_64.rpm
kernel-largesmp-devel-2.6.9-89.0.16.0.1.EL.x86_64.rpm
kernel-smp-2.6.9-89.0.16.0.1.EL.x86_64.rpm
kernel-smp-devel-2.6.9-89.0.16.0.1.EL.x86_64.rpm
kernel-xenU-2.6.9-89.0.16.0.1.EL.x86_64.rpm
kernel-xenU-devel-2.6.9-89.0.16.0.1.EL.x86_64.rpm
ia64:
kernel-2.6.9-89.0.16.0.1.EL.ia64.rpm
kernel-devel-2.6.9-89.0.16.0.1.EL.ia64.rpm
kernel-doc-2.6.9-89.0.16.0.1.EL.noarch.rpm
kernel-largesmp-2.6.9-89.0.16.0.1.EL.ia64.rpm
kernel-largesmp-devel-2.6.9-89.0.16.0.1.EL.ia64.rpm
SRPMS:
http://oss.oracle.com/el4/SRPMS-updates/kernel-2.6.9-89.0.16.0.1.EL.src.rpm
The following packages were rebuilt to be in sync with the updated kernel version (no changes other than updating the version number):
i386:
oracleasm-2.6.9-89.0.16.0.1.EL-2.0.5-1.el4.i686.rpm
oracleasm-2.6.9-89.0.16.0.1.ELhugemem-2.0.5-1.el4.i686.rpm
oracleasm-2.6.9-89.0.16.0.1.ELsmp-2.0.5-1.el4.i686.rpm
oracleasm-2.6.9-89.0.16.0.1.ELxenU-2.0.5-1.el4.i686.rpm
ocfs2-2.6.9-89.0.16.0.1.EL-1.2.9-1.el4.i686.rpm
ocfs2-2.6.9-89.0.16.0.1.ELhugemem-1.2.9-1.el4.i686.rpm
ocfs2-2.6.9-89.0.16.0.1.ELsmp-1.2.9-1.el4.i686.rpm
ocfs2-2.6.9-89.0.16.0.1.ELxenU-1.2.9-1.el4.i686.rpm
x86_64:
oracleasm-2.6.9-89.0.16.0.1.EL-2.0.5-1.el4.x86_64.rpm
oracleasm-2.6.9-89.0.16.0.1.ELlargesmp-2.0.5-1.el4.x86_64.rpm
oracleasm-2.6.9-89.0.16.0.1.ELsmp-2.0.5-1.el4.x86_64.rpm
oracleasm-2.6.9-89.0.16.0.1.ELxenU-2.0.5-1.el4.x86_64.rpm
ocfs2-2.6.9-89.0.16.0.1.EL-1.2.9-1.el4.x86_64.rpm
ocfs2-2.6.9-89.0.16.0.1.ELlargesmp-1.2.9-1.el4.x86_64.rpm
ocfs2-2.6.9-89.0.16.0.1.ELsmp-1.2.9-1.el4.x86_64.rpm
ocfs2-2.6.9-89.0.16.0.1.ELxenU-1.2.9-1.el4.x86_64.rpm
ia64:
oracleasm-2.6.9-89.0.16.0.1.EL-2.0.5-1.el4.ia64.rpm
oracleasm-2.6.9-89.0.16.0.1.ELlargesmp-2.0.5-1.el4.ia64.rpm
ocfs2-2.6.9-89.0.16.0.1.EL-1.2.9-1.el4.ia64.rpm
ocfs2-2.6.9-89.0.16.0.1.ELlargesmp-1.2.9-1.el4.ia64.rpm
SRPMS:
http://oss.oracle.com/el4/SRPMS-updates/oracleasm-2.6.9-89.0.16.0.1.EL-2.0.5-1.el4.src.rpm
http://oss.oracle.com/el4/SRPMS-updates/ocfs2-2.6.9-89.0.16.0.1.EL-1.2.9-1.el4.src.rpm
Description of changes:
[2.6.9-89.0.16.0.1.EL]
- fix skb alignment that was causing sendto() to fail with EFAULT
(Olaf Kirch) [orabug 6845794]
- fix enomem due to larger mtu size page alloc (Zach Brown) [orabug
5486128]
- backout patch sysrq-b that queues upto keventd thread (Guru Anbalagane)
[orabug 6125546]
- netrx/netpoll race avoidance (Tina Yang) [orabug 6143381]
- [XEN] Fix elf_core_dump (Tina Yang) [orabug 6995928]
- use lfence instead of cpuid instruction to implement memory barriers
(Herbert van den Bergh) [orabug 7452412]
- add netpoll support to xen netfront (Tina Yang) [orabz 7261]
- [xen] execshield: fix endless GPF fault loop (Stephen Tweedie)
[orabug 7175395]
- [xen]: port el5u2 patch that allows 64-bit PVHVM guest to boot with 32-bit
dom0 [orabug 7452107] xenstore
- [mm] update shrink_zone patch to allow 100% swap utilization (John
Sobecki,
Chris Mason, Chuck Anderson, Dave McCracken) [orabug 7566319,6086839]
- [kernel] backport report_lost_ticks patch from EL5.2 (John Sobecki)
[orabug 6110605]
- [xen] fix for hung JVM thread after #GPF [orabug 7916406] (Chuck Anderson)
- port EL5U3 patch to adjust totalhigh_pages in the balloon driver
[orabug 8300888]
- check to see if hypervisor supports memory reservation change (Chuck
Anderson) [orabug7556514]
- [XEN] use hypercall to fixmap pte updates (Mukesh Rathor) [orabug 8433329]
- [XEN] Extend physical mask to 40bit for machine above 64G [orabug 8312526]
- fix oops in nlmclnt_mark_reclaim (Trond Myklebust) [orabug 8568878]
- [x86_64] Allowed machine_reboot running on boot_cpu (Joe Jin) [orabug
8425237]
[2.6.9-89.0.16]
-fs: fix pipe null pointer dereference (Jeff Moyer) [530936 530937]
{CVE-2009-3547}
https://rhn.redhat.com/errata/RHSA-2009-1549.html
The following updated rpms for Enterprise Linux 5 have been uploaded to the Unbreakable Linux Network:
i386:
wget-1.11.4-2.el5_4.1.i386.rpm
x86_64:
wget-1.11.4-2.el5_4.1.x86_64.rpm
ia64:
wget-1.11.4-2.el5_4.1.ia64.rpm
SRPMS:
http://oss.oracle.com/el5/SRPMS-updates/wget-1.11.4-2.el5_4.1.src.rpm
Description of changes:
[1.11.4-3]
- add fix for CVE-2009-3490,
incorrect verification of SSL certificate with NUL in name
https://rhn.redhat.com/errata/RHSA-2009-1549.html
The following updated rpms for Enterprise Linux 4 have been uploaded to the Unbreakable Linux Network:
i386:
wget-1.10.2-1.el4_8.1.i386.rpm
x86_64:
wget-1.10.2-1.el4_8.1.x86_64.rpm
ia64:
wget-1.10.2-1.el4_8.1.ia64.rpm
SRPMS:
http://oss.oracle.com/el4/SRPMS-updates/wget-1.10.2-1.el4_8.1.src.rpm
Description of changes:
[1.10.2-1.1]
- fix release number
[1.10.2-0.1]
- add fix for CVE-2009-3490,
incorrect verification of SSL certificate with NUL in name
https://rhn.redhat.com/errata/RHSA-2009-1549.html
The following updated rpms for Enterprise Linux 3 have been uploaded to the Unbreakable Linux Network:
i386:
wget-1.10.2-0.30E.1.i386.rpm
x86_64:
wget-1.10.2-0.30E.1.x86_64.rpm
SRPMS:
http://oss.oracle.com/el3/SRPMS-updates/wget-1.10.2-0.30E.1.src.rpm
Description of changes:
[1.10.2-0.30E.1]
- add fix for CVE-2009-3490,
incorrect verification of SSL certificate with NUL in name
https://rhn.redhat.com/errata/RHSA-2009-1548.html
The following updated rpms for Enterprise Linux 5 have been uploaded to the Unbreakable Linux Network:
i386:
kernel-2.6.18-164.6.1.0.1.el5.i686.rpm
kernel-PAE-2.6.18-164.6.1.0.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-164.6.1.0.1.el5.i686.rpm
kernel-debug-2.6.18-164.6.1.0.1.el5.i686.rpm
kernel-debug-devel-2.6.18-164.6.1.0.1.el5.i686.rpm
kernel-devel-2.6.18-164.6.1.0.1.el5.i686.rpm
kernel-doc-2.6.18-164.6.1.0.1.el5.noarch.rpm
kernel-headers-2.6.18-164.6.1.0.1.el5.i386.rpm
kernel-xen-2.6.18-164.6.1.0.1.el5.i686.rpm
kernel-xen-devel-2.6.18-164.6.1.0.1.el5.i686.rpm
x86_64:
kernel-2.6.18-164.6.1.0.1.el5.x86_64.rpm
kernel-debug-2.6.18-164.6.1.0.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-164.6.1.0.1.el5.x86_64.rpm
kernel-devel-2.6.18-164.6.1.0.1.el5.x86_64.rpm
kernel-doc-2.6.18-164.6.1.0.1.el5.noarch.rpm
kernel-headers-2.6.18-164.6.1.0.1.el5.x86_64.rpm
kernel-xen-2.6.18-164.6.1.0.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-164.6.1.0.1.el5.x86_64.rpm
ia64:
kernel-2.6.18-164.6.1.0.1.el5.ia64.rpm
kernel-debug-2.6.18-164.6.1.0.1.el5.ia64.rpm
kernel-debug-devel-2.6.18-164.6.1.0.1.el5.ia64.rpm
kernel-devel-2.6.18-164.6.1.0.1.el5.ia64.rpm
kernel-doc-2.6.18-164.6.1.0.1.el5.noarch.rpm
kernel-headers-2.6.18-164.6.1.0.1.el5.ia64.rpm
kernel-xen-2.6.18-164.6.1.0.1.el5.ia64.rpm
kernel-xen-devel-2.6.18-164.6.1.0.1.el5.ia64.rpm
SRPMS:
http://oss.oracle.com/el5/SRPMS-updates/kernel-2.6.18-164.6.1.0.1.el5.src.rpm
The following packages were rebuilt to be in sync with the updated kernel version (no changes other than updating the version number):
i386:
oracleasm-2.6.18-164.6.1.0.1.el5-2.0.5-1.el5.i686.rpm
oracleasm-2.6.18-164.6.1.0.1.el5PAE-2.0.5-1.el5.i686.rpm
oracleasm-2.6.18-164.6.1.0.1.el5xen-2.0.5-1.el5.i686.rpm
oracleasm-2.6.18-164.6.1.0.1.el5debug-2.0.5-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5-1.4.4-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5PAE-1.4.4-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5xen-1.4.4-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5debug-1.4.4-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5-1.4.4-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5PAE-1.4.4-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5xen-1.4.4-1.el5.i686.rpm
ocfs2-2.6.18-164.6.1.0.1.el5debug-1.4.4-1.el5.i686.rpm
x86_64:
oracleasm-2.6.18-164.6.1.0.1.el5-2.0.5-1.el5.x86_64.rpm
oracleasm-2.6.18-164.6.1.0.1.el5xen-2.0.5-1.el5.x86_64.rpm
oracleasm-2.6.18-164.6.1.0.1.el5debug-2.0.5-1.el5.x86_64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5-1.4.4-1.el5.x86_64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5xen-1.4.4-1.el5.x86_64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5debug-1.4.4-1.el5.x86_64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5-1.4.4-1.el5.x86_64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5xen-1.4.4-1.el5.x86_64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5debug-1.4.4-1.el5.x86_64.rpm
ia64:
oracleasm-2.6.18-164.6.1.0.1.el5-2.0.5-1.el5.ia64.rpm
oracleasm-2.6.18-164.6.1.0.1.el5xen-2.0.5-1.el5.ia64.rpm
oracleasm-2.6.18-164.6.1.0.1.el5debug-2.0.5-1.el5.ia64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5-1.4.4-1.el5.ia64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5xen-1.4.4-1.el5.ia64.rpm
ocfs2-2.6.18-164.6.1.0.1.el5debug-1.4.4-1.el5.ia64.rpm
SRPMS:
http://oss.oracle.com/el5/SRPMS-updates/oracleasm-2.6.18-164.6.1.0.1.el5-2.0.5-1.el5.src.rpm
http://oss.oracle.com/el5/SRPMS-updates/ocfs2-2.6.18-164.6.1.0.1.el5-1.4.4-1.el5.src.rpm
Description of changes:
[2.6.18-164.6.1.0.1.el5]
- [xen] check to see if hypervisor supports memory reservation change
(Chuck Anderson) [orabug 7556514]
- Add entropy support to igb ( John Sobecki) [orabug 7607479]
- [nfs] convert ENETUNREACH to ENOTCONN [orabug 7689332]
- [NET] Add xen pv/bonding netconsole support (Tina yang) [orabug
6993043] [bz 7258]
- [MM] shrink zone patch (John Sobecki,Chris Mason) [orabug 6086839]
- fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042]
- [nfsd] fix failure of file creation from hpux client (Wen gang Wang)
[orabug 7579314]
[2.6.18-164.6.1.el5]
- [fs] fix pipe null pointer dereference (Jeff Moyer) [530938 530939]
{CVE-2009-3547}
- [security] require root for mmap_min_addr (Eric Paris ) [518142
518143] {CVE-2009-2695}
- [net] lvs: adjust sync protocol handling for ipvsadm -2 (Neil Horman )
[528645 524129]
- [xen] allow booting with broken serial hardware (Chris Lalancette )
[524153 518338]
[2.6.18-164.5.1.el5]
- [fs] eCryptfs: prevent lower dentry from going negative (Eric Sandeen
) [527834 527835] {CVE-2009-2908}
- [nfs] v4: reclaimer thread stuck in an infinite loop (Sachin S. Prabhu
) [529162 526888]
- [net] r8169: avoid losing MSI interrupts (Ivan Vecera ) [529366 514589]
- [scsi] st.c: memory use after free after MTSETBLK ioctl (David Jeffery
) [528133 520192]
- [net] r8169: balance pci_map/unmap pair, use hw padding (Ivan Vecera )
[529143 515857] {CVE-2009-3613}
[2.6.18-164.4.1.el5]
- [net] bonding: set primary param via sysfs (Jiri Pirko ) [517971 499884]
- [scsi] fusion: re-enable mpt_msi_enable option (Tomas Henzl ) [526963
520820]
- [net] ipt_recent: sanity check hit count (Amerigo Wang ) [527434 523982]
- [net] ipv4: ip_append_data handle NULL routing table (Jiri Pirko )
[527436 520297]
- [nfs] fix cache invalidation problems in nfs_readdir (Jeff Layton )
[526960 511170]
- [net] tc: fix unitialized kernel memory leak (Jiri Pirko ) [520994 520863]
[2.6.18-164.3.1.el5]
- [nfs] knfsd: fix NFSv4 O_EXCL creates (Jeff Layton ) [522163 524521]
{CVE-2009-3286}
https://rhn.redhat.com/errata/RHSA-2009-1550.html
The following updated rpms for Enterprise Linux 3 have been uploaded to the Unbreakable Linux Network:
i386:
kernel-2.4.21-63.0.0.0.1.EL.athlon.rpm
kernel-2.4.21-63.0.0.0.1.EL.i686.rpm
kernel-BOOT-2.4.21-63.0.0.0.1.EL.i386.rpm
kernel-doc-2.4.21-63.0.0.0.1.EL.i386.rpm
kernel-hugemem-2.4.21-63.0.0.0.1.EL.i686.rpm
kernel-hugemem-unsupported-2.4.21-63.0.0.0.1.EL.i686.rpm
kernel-smp-2.4.21-63.0.0.0.1.EL.athlon.rpm
kernel-smp-2.4.21-63.0.0.0.1.EL.i686.rpm
kernel-smp-unsupported-2.4.21-63.0.0.0.1.EL.athlon.rpm
kernel-smp-unsupported-2.4.21-63.0.0.0.1.EL.i686.rpm
kernel-source-2.4.21-63.0.0.0.1.EL.i386.rpm
kernel-unsupported-2.4.21-63.0.0.0.1.EL.athlon.rpm
kernel-unsupported-2.4.21-63.0.0.0.1.EL.i686.rpm
x86_64:
kernel-2.4.21-63.0.0.0.1.EL.ia32e.rpm
kernel-2.4.21-63.0.0.0.1.EL.x86_64.rpm
kernel-doc-2.4.21-63.0.0.0.1.EL.x86_64.rpm
kernel-smp-2.4.21-63.0.0.0.1.EL.x86_64.rpm
kernel-smp-unsupported-2.4.21-63.0.0.0.1.EL.x86_64.rpm
kernel-source-2.4.21-63.0.0.0.1.EL.x86_64.rpm
kernel-unsupported-2.4.21-63.0.0.0.1.EL.ia32e.rpm
kernel-unsupported-2.4.21-63.0.0.0.1.EL.x86_64.rpm
SRPMS:
http://oss.oracle.com/el3/SRPMS-updates/kernel-2.4.21-63.0.0.0.1.EL.src.rpm
The following packages were rebuilt to be in sync with the updated kernel version (no changes other than updating the version number):
i386:
oracleasm-2.4.21-63.0.0.0.1.EL-1.0.5-1.i686.rpm
oracleasm-2.4.21-63.0.0.0.1.ELhugemem-1.0.5-1.i686.rpm
oracleasm-2.4.21-63.0.0.0.1.ELsmp-1.0.5-1.i686.rpm
x86_64:
oracleasm-2.4.21-63.0.0.0.1.EL-1.0.5-1.ia32e.rpm
oracleasm-2.4.21-63.0.0.0.1.EL-1.0.5-1.x86_64.rpm
oracleasm-2.4.21-63.0.0.0.1.ELsmp-1.0.5-1.x86_64.rpm
SRPMS:
http://oss.oracle.com/el3/SRPMS-updates/oracleasm-2.4.21-63.0.0.0.1.EL-1.0.5-1.src.rpm
Description of changes:
[2.4.21-63.0.0.0.1.EL]
- add directio support for qla drivers (herb) [ora 6346849]
- support PT Quad card [ora 5751043]
- io to nfs partition hangs [ora 5088963]
- add entropy for bnx2 nic [ora 5931647]
- avoid large allocation-fragmentation in MTU (zab)
- fix clear highpage (wli)
[2.4.21-63.EL]
- fs: fix pipe null pointer dereference (Don Howard) [530935]
{CVE-2009-3547}
[2.4.21-61.EL]
- ipv6: use timer pending to fix bridge reference count problem (Don
Howard) [457010]
- net: fix unix socket panic (Don Howard) [470432] {CVE-2008-5029}
- unix: fix oom with unix socket garbage collector [473266] {CVE-2008-5300}
- exit_notify: kill the wrong capable check (Don Howard) [497266]
{CVE-2009-1337}
- e1000: fix skb_over_panic (Don Howard) [503439] {CVE-2009-1385}
- net: ensure devname passed to SO_BINDTODEVICE is NULL-terminated (Don
Howard) [505514]
- kernel: personality handling: fix per_clear_on_setid (Don Howard)
[508845] {CVE-2009-1895}
- build with fno-delete-null-pointer-checks (Don Howard) [511185]
- implement mmap_min_addr infrastructure (Don Howard) [512642]
- execve: must clear current->clear_child_tid (Don Howard) [515426]
{CVE-2009-2848}
- net: Fix info leaks in getname() implementations (Don Howard) [520292]
{CVE-2009-3002}
- net: ipv4: ip_append_data handle NULL routing table (Don Howard) [520300]
