(RHSA-2010:0474) Important: kernel security and bug fix update

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

• a NULL pointer dereference flaw was found in the Linux kernel NFSv4
  implementation. Several of the NFSv4 file locking functions failed to check
  whether a file had been opened on the server before performing locking
  operations on it. A local, unprivileged user on a system with an NFSv4
  share mounted could possibly use this flaw to cause a kernel panic (denial
  of service) or escalate their privileges. (CVE-2009-3726, Important)

• a flaw was found in the sctp_process_unk_param() function in the Linux
  kernel Stream Control Transmission Protocol (SCTP) implementation. A remote
  attacker could send a specially-crafted SCTP packet to an SCTP listening
  port on a target system, causing a kernel panic (denial of service).
  (CVE-2010-1173, Important)

• a race condition between finding a keyring by name and destroying a freed
  keyring was found in the Linux kernel key management facility. A local,
  unprivileged user could use this flaw to cause a kernel panic (denial of
  service) or escalate their privileges. (CVE-2010-1437, Important)

Red Hat would like to thank Simon Vallet for responsibly reporting
CVE-2009-3726; and Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia
Siemens Networks, and Wind River on behalf of their customer, for
responsibly reporting CVE-2010-1173.

Bug fixes:

• RHBA-2007:0791 introduced a regression in the Journaling Block Device
  (JBD). Under certain circumstances, removing a large file (such as 300 MB
  or more) did not result in inactive memory being freed, leading to the
  system having a large amount of inactive memory. Now, the memory is
  correctly freed. (BZ#589155)

• the timer_interrupt() routine did not scale lost real ticks to logical
  ticks correctly, possibly causing time drift for 64-bit Red Hat Enterprise
  Linux 4 KVM (Kernel-based Virtual Machine) guests that were booted with the
  “divider=x” kernel parameter set to a value greater than 1. “warning: many
  lost ticks” messages may have been logged on the affected guest systems.
  (BZ#590551)

• a bug could have prevented NFSv3 clients from having the most up-to-date
  file attributes for files on a given NFSv3 file system. In cases where a
  file type changed, such as if a file was removed and replaced with a
  directory of the same name, the NFSv3 client may not have noticed this
  change until stat(2) was called (for example, by running “ls -l”).
  (BZ#596372)

• RHBA-2007:0791 introduced bugs in the Linux kernel PCI-X subsystem. These
  could have caused a system deadlock on some systems where the BIOS set the
  default Maximum Memory Read Byte Count (MMRBC) to 4096, and that also use
  the Intel PRO/1000 Linux driver, e1000. Errors such as “e1000: eth[x]:
  e1000_clean_tx_irq: Detected Tx Unit Hang” were logged. (BZ#596374)

• an out of memory condition in a KVM guest, using the virtio-net network
  driver and also under heavy network stress, could have resulted in
  that guest being unable to receive network traffic. Users had to manually
  remove and re-add the virtio_net module and restart the network service
  before networking worked as expected. Such memory conditions no longer
  prevent KVM guests receiving network traffic. (BZ#597310)

• when an SFQ qdisc that limited the queue size to two packets was added to
  a network interface, sending traffic through that interface resulted in a
  kernel crash. Such a qdisc no longer results in a kernel crash. (BZ#597312)

• when an NFS client opened a file with the O_TRUNC flag set, it received
  a valid stateid, but did not use that stateid to perform the SETATTR call.
  Such cases were rejected by Red Hat Enterprise Linux 4 NFS servers with an
  “NFS4ERR_BAD_STATEID” error, possibly preventing some NFS clients from
  writing files to an NFS file system. (BZ#597314)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.