SuSE Update for kernel SUSE-SA:2008:037

Impact
local privilege escalation
Solution
Please Install the Updated Packages.
Insight
The openSUSE 11.0 kernel was updated to 2.6.25.11-0.1. It fixes following security problems: CVE-2008-2812: Various tty / serial devices did not check function pointers for NULL before calling them, leading to potential crashes or code execution. The devices affected are usually only accessible by the root user though. CVE-2008-2750: The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux kernel allows remote attackers to cause a denial of service (kernel heap memory corruption and system crash) and possibly have unspecified other impact via a crafted PPPOL2TP packet that results in a large value for a certain length variable. CVE-2008-3247: On x86_64 systems, a incorrect buffer size in LDT handling might lead to local untrusted attackers causing a crash of the machine or potentially execute code with kernel privileges. This problem only affects the openSUSE 11.0 kernel, since the problem was introduced in the 2.6.25 kernel. The update also has lots of other bugfixes that are listed in the RPM changelog. We previously also released a 2.6.25.9-0.2 kernel but did not separately announce it. That update fixed the following security problems: CVE-2008-2372: A resource starvation issue within mmap was fixed, which could have been used by local attackers to hang the machine. CVE-2008-2826: A integer overflow in SCTP was fixed, which might have been used by remote attackers to crash the machine or potentially execute code.
Affected
kernel on openSUSE 11.0
References