[kernel-sec-discuss] r942 - dsa-texts
dannf at alioth.debian.org
dannf at alioth.debian.org
Fri Aug 31 22:45:48 UTC 2007
Author: dannf
Date: 2007-08-31 22:45:48 +0000 (Fri, 31 Aug 2007)
New Revision: 942
Added:
dsa-texts/2.6.18.dfsg.1-13etch2
Log:
start dsa text for 2.6.18.dfsg.1-13etch2
Copied: dsa-texts/2.6.18.dfsg.1-13etch2 (from rev 913, dsa-texts/2.6.18.dfsg.1-13etch1)
===================================================================
--- dsa-texts/2.6.18.dfsg.1-13etch2 (rev 0)
+++ dsa-texts/2.6.18.dfsg.1-13etch2 2007-08-31 22:45:48 UTC (rev 942)
@@ -0,0 +1,99 @@
+--------------------------------------------------------------------------
+Debian Security Advisory DSA 1356-1 security at debian.org
+http://www.debian.org/security/ Dann Frazier
+August 31st, 2007 http://www.debian.org/security/faq
+--------------------------------------------------------------------------
+
+Package : linux-2.6
+Vulnerability : several
+Problem-Type : local/remote
+Debian-specific: no
+CVE ID : CVE-2007-2172 CVE-2007-2875 CVE-2007-3105 CVE-2007-3843
+ CVE-2007-4308
+
+Several local and remote vulnerabilities have been discovered in the Linux
+kernel that may lead to a denial of service or the execution of arbitrary
+code. The Common Vulnerabilities and Exposures project identifies the
+following problems:
+
+CVE-2007-2172
+
+ Thomas Graf reported a typo in the IPV4 protocol handler that could
+ be used by a local attacker to overrun an array via crafted packets,
+ potentially resulting in a Denial of Service (system crash).
+ The DECnet counterpart of this issue was already fixed in DSA-1356.
+
+CVE-2007-2875
+
+ iDefense reported a potential integer underflow in the cpuset filesystem
+ which may permit local attackers to gain access to sensitive kernel
+ memory. This vulnerability is only exploitable if the cpuset filesystem
+ is mounted.
+
+CVE-2007-3105
+
+ The PaX Team discovered a potential buffer overflow in the random number
+ generator which may permit local users to cause a denial of service or
+ gain additional privileges. This issue is not believed to effect default
+ Debian installations where only root has sufficient privileges to exploit
+ it.
+
+CVE-2007-3843
+
+ A coding error in the CIFS subsystem permits the use of unsigned messages
+ even if the client has been configured the system to enforce
+ signing by passing the sec=ntlmv2i mount option. This may allow remote
+ attackers to spoof CIFS network traffic.
+
+CVE-2007-4308
+
+ Alan Cox reported an issue in the aacraid driver that allows unprivileged
+ local users to make ioctl calls which should be restricted to admin
+ privileges.
+
+These problems have been fixed in the stable distribution in version
+2.6.18.dfsg.1-13etch2.
+
+The following matrix lists additional packages that were rebuilt for
+compatibility with or to take advantage of this update:
+
+ Debian 4.0 (etch)
+ fai-kernels 1.17+etch5
+ user-mode-linux 2.6.18-1um-2etch4
+
+We recommend that you upgrade your kernel package immediately and reboot
+the machine. If you have built a custom kernel from the kernel source
+package, you will need to rebuild to take advantage of these fixes.
+
+Upgrade Instructions
+--------------------
+
+wget url
+ will fetch the file for you
+dpkg -i file.deb
+ will install the referenced file.
+
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
+
+apt-get update
+ will update the internal database
+apt-get upgrade
+ will install corrected packages
+
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
+
+
+Debian GNU/Linux 4.0 alias etch
+--------------------------------
+
+
+ These files will probably be moved into the stable distribution on
+ its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ etch/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/etch/updates/main
+Mailing list: debian-security-announce at lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
More information about the kernel-sec-discuss
mailing list