Dear Valued Clients

We will be updating all our Redhat Enterprise / CentOS 4/5 server(s) this weekend for a kernel upgrade. This would take place as far as possible during the off-peak hours. A reboot is required to complete the upgrade. The downtime should not exceed 30 minutes and it will be minimize as much as possible. We will track each server till it returns to service after the upgrade and reboot.

This upgrade is scheduled as follows:

Date: 20 December 2008, Saturday to 22 December 2008, Monday

Time: Between 2AM and 8AM EST

Due to the large number of servers that is being upgraded, we do not have a fixed time for your server. If you wish to schedule it, you are free to request it and we will try as much as possible to fit within your time window.

Kernel security and bug fix updates for Centos 5

====================================

These kernel packages that resolve several security issues and fix various bugs and is rated as having important security impact

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* Olaf Kirch reported a flaw in the i915 kernel driver. This flaw could, potentially, lead to local privilege escalation. Note: the flaw only affects systems based on the Intel G33 Express Chipset and newer.

(CVE-2008-3831, Important)

* Miklos Szeredi reported a missing check for files opened with O_APPEND in the sys_splice(). This could allow a local, unprivileged user to bypass the append-only file restrictions. (CVE-2008-4554, Important)

* a deficiency was found in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. This could lead to a possible denial of service if one end of a SCTP connection did not support the AUTH extension.

(CVE-2008-4576, Important)

In addition, these updated packages fix the following bugs:

* on ItaniumR systems, when a multithreaded program was traced using the command "strace -f", messages such as

PANIC: attached pid 10740 exited

PANIC: handle_group_exit: 10740 leader 10721 ...

will be displayed, and after which the trace would stop. With these updated packages, "strace -f" command no longer results in these error messages, and strace terminates normally after tracing all threads.

* on big-endian systems such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255.

when using an NFSv4 file system, accessing the same file with two separate processes simultaneously resulted in the NFS client process becoming unresponsive.

* on AMD64 and IntelR 64 hypervisor-enabled systems, when a syscall correctly returned '-1' in code compiled on Red Hat Enterprise Linux 5, the same code, when run with the strace utility, would incorrectly return an invalid return value. This has been fixed: on AMD64 and IntelR 64 hypervisor-enabled systems, syscalls in compiled code return the same, correct values as syscalls run with strace.

* on the ItaniumR architecture, fully-virtualized guest domains created using more than 64 GB of memory caused other guest domains not to receive interrupts. This caused soft lockups on other guests. All guest domains are now able to receive interrupts regardless of their allotted memory.

* when user-space used SIGIO notification, which was not disabled before closing a file descriptor and was then re-enabled in a different process, an attempt by the kernel to dereference a stale pointer led to a kernel crash. With this fix, such a situation no longer causes a kernel crash.

* modifications to certain pages made through a memory-mapped region could have been lost in cases when the NFS client needed to invalidate the page cache for that particular memory-mapped file.

* fully-virtualized WindowsR guests became unresponsive due to the vIOSAPIC component being multiprocessor-unsafe. With this fix, vIOSAPIC is multiprocessor-safe and Windows guests do not become unresponsive.

* on certain systems, keyboard controllers could not withstand continuous requests to switch keyboard LEDs on or off. This resulted in some or all key presses not being registered by the system.

* on the ItaniumR architecture, setting the "vm.nr_hugepages" sysctl parameter caused a kernel stack overflow resulting in a kernel panic, and possibly stack corruption. With this fix, setting vm.nr_hugepages works correctly.

* hugepages allow the Linux kernel to utilize the multiple page size capabilities of modern hardware architectures. In certain configurations, systems with large amounts of memory could fail to allocate most of this memory for hugepages even if it was free. This could result, for example, in database restart failures.

Kernel security and bug fix updates for Centos 4

====================================

These kernel packages that resolve several security issues and fix various bugs and is rated as having important security impact

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* a flaw was found in the Linux kernel's Direct-IO implementation. This could have allowed a local unprivileged user to cause a denial of service.

(CVE-2007-6716, Important)

* when running ptrace in 31-bit mode on an IBM S/390 or IBM System z kernel, a local unprivileged user could cause a denial of service by reading from or writing into a padding area in the user_regs_struct32 structure. (CVE-2008-1514, Important)

* the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could have allowed a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important)

* Tobias Klein reported a missing check in the Linux kernel's Open Sound System (OSS) implementation. This deficiency could have led to an information leak. (CVE-2008-3272, Moderate)

* a potential denial of service attack was discovered in the Linux kernel's PWC USB video driver. A local unprivileged user could have used this flaw to bring the kernel USB subsystem into the busy-waiting state. (CVE-2007-5093,

Low)

* the ext2 and ext3 file systems code failed to properly handle corrupted data structures, leading to a possible local denial of service issue when read or write operations were performed. (CVE-2008-3528, Low)

In addition, these updated packages fix the following bugs:

* when using the CIFS "forcedirectio" option, appending to an open file on a CIFS share resulted in that file being overwritten with the data to be appended.

* a kernel panic occurred when a device with PCI ID 8086:10c8 was present on a system with a loaded ixgbe driver.

* due to an aacraid driver regression, the kernel failed to boot when trying to load the aacraid driver and printed the following error message:

"aac_srb: aac_fib_send failed with status: 8195".

* due to an mpt driver regression, when RAID 1 was configured on Primergy systems with an LSI SCSI IME 53C1020/1030 controller, the kernel panicked during boot.

* the mpt driver produced a large number of extraneous debugging messages when performing a "Host reset" operation.

* due to a regression in the sym driver, the kernel panicked when a SCSI hot swap was performed using MCP18 hardware.

* all cores on a multi-core system now scale their frequencies in accordance with the policy set by the system's CPU frequency governor

* the netdump subsystem suffered from several stability issues. These are addressed in this updated kernel.

* under certain conditions, the ext3 file system reported a negative count of used blocks.

* reading /proc/self/mem incorrectly returned "Invalid argument" instead of "input/output error" due to a regression.

* under certain conditions, the kernel panicked when a USB device was removed while the system was busy accessing the device.

* a race condition in the kernel could have led to a kernel crash during the creation of a new process.

If you need any assistance or further information, please feel free to contact us by emailing support@murabba.com

Thank you.