Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now available that fix an information leak from several ethernet drivers, and a file system issue.
The Linux kernel handles the basic functions of the operating system. Vulnerabilities have been found in version 2.4.18 of the kernel. This advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0. Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0001 to this issue. A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and later that can create a limited information leak where any user on the system with write privileges to a file system can read information from that file system (from previously deleted files), and can create minor file system corruption (easily repaired by fsck). Red Hat Linux in its default configuration is not affected by this bug, because the ext3 file system (the default file system in Red Hat Linux 7.2 and later) does not support the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18 kernels have this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0018 to this issue. Users of the ext2 file system can migrate to the ext3 file system using the tune2fs program as described in the white paper at http://www.redhat.com/support/wpapers/redhat/ext3/ All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade to these errata packages, which contain patches to ethernet drivers to remove the information leak and a patch to fix O_DIRECT handling. In addition, the following drivers are upgraded to support newer hardware: 3c59x, e100, e1000, tg3