kernel-2.6.18-194.3.AXS3

The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.
Security issues fixed with this release:
CVE-2010-0291
The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the 'do_mremap() mess' or 'mremap/mmap mess.'
CVE-2010-0622
The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space.
CVE-2010-1087
The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.
CVE-2010-1088
fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount 'symlinks,' which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW.
CVE-2010-1173
The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.
CVE-2010-1187
The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference.
CVE-2010-1436
gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system.
CVE-2010-1437
Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.
CVE-2010-1641
The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.
Fixed bugs:
acpi
- warn on hot-add of memory exceeding 4G boundary
- fix WARN on unregister in power meter driver
block
- cfq-iosched: fix IOPRIO_CLASS_IDLE accounting
- cfq-iosched: async queue allocation per priority
- cfq-iosched: fix async queue behaviour
- cfq-iosched: propagate down request sync flag
- introduce the rq_is_sync macro
fs
- remove unneccessary f_ep_lock from fasync_helper
misc
- add atomic64_cmpxcgh to x86_64 include files
mm
- fix hugepage corruption using vm.drop_caches
- clear page errors when issuing a fresh read of page
net
- e1000: fix WoL init when WoL disabled in EEPROM
- tg3: fix INTx fallback when MSI fails
- sched: fix SFQ qdisc crash w/limit of 2 packets
- bonding: fix broken multicast with round-robin mode
- cnic: Fix crash during bnx2x MTU change
- bxn2x: add dynamic lro disable support
- sctp: file must be valid before setting timeout
- e1000/e1000e: implement simple interrupt moderation
- neigh: fix state transitions via Netlink request
- tg3: fix panic in tg3_interrupt
- cnic: fix bnx2x panic w/multiple interfaces enabled
nfs
- revert retcode check in nfs_revalidate_mapping()
- don't unhash dentry in nfs_lookup_revalidate
virt
- don't compute pvclock adjustments if we trust tsc
- add a global synchronization point for pvclock
- enable pvclock flags in vcpu_time_info structure
virtio
- fix GFP flags passed by virtio balloon driver
x86
- grab atomic64 types from upstream
x86_64
- fix time drift due to faulty lost tick tracking
xen
- set hypervisor present CPUID bit