[kernel-sec-discuss] r1573 - dsa-texts

Dann Frazier dannf at alioth.debian.org
Thu Nov 5 06:46:52 UTC 2009 

Author: dannf
Date: 2009-11-05 06:46:52 +0000 (Thu, 05 Nov 2009)
New Revision: 1573

Added:
   dsa-texts/2.6.26-19lenny2
Log:
new text

Copied: dsa-texts/2.6.26-19lenny2 (from rev 1563, dsa-texts/2.6.26-19lenny1)
===================================================================
--- dsa-texts/2.6.26-19lenny2	                        (rev 0)
+++ dsa-texts/2.6.26-19lenny2	2009-11-05 06:46:52 UTC (rev 1573)
@@ -0,0 +1,126 @@
+----------------------------------------------------------------------
+Debian Security Advisory DSA-XXXX-1                security at debian.org
+http://www.debian.org/security/                           dann frazier
+November 5, 2009                    http://www.debian.org/security/faq
+----------------------------------------------------------------------
+
+Package        : linux-2.6
+Vulnerability  : privilege escalation/denial of service/sensitive memory leak
+Problem type   : local
+Debian-specific: no
+CVE Id(s)      : CVE-2009-3228 CVE-2009-3238 CVE-2009-3547 CVE-2009-3612
+                 CVE-2009-3620 CVE-2009-3621 CVE-2009-3638
+
+Notice: Debian 5.0.4, the next point release of Debian 'lenny',
+will include a new default value for the mmap_min_addr tunable.
+This change will add an additional safeguard against a class of security
+vulnerabilities known as "NULL pointer dereference" vulnerabilities, but
+it will need to be overridden when using certain applications.
+Additional information about this change, including instructions for
+making this change locally in advance of 5.0.4 (recommended), can be
+found at:
+  http://wiki.debian.org/mmap_min_addr
+
+Several vulnerabilities have been discovered in the Linux kernel that
+may lead to a denial of service, sensitive memory leak or privilege escalation.
+The Common Vulnerabilities and Exposures project identifies the following
+problems:
+
+CVE-2009-3228
+
+    Eric Dumazet reported an instance of uninitialized kernel memory
+    in the network packet scheduler. Local users may be able to exploit
+    this issue to read the contents of sensitive kernel memory.
+  
+CVE-2009-3238
+
+    Linus Torvalds provided a change to the get_random_int() function
+    to increase its randomness.
+
+CVE-2009-3547
+
+    Earl Chew discovered a NULL pointer dereference issue in the
+    pipe_rdwr_open function which can be used by local users to gain
+    elevated privileges.
+
+CVE-2009-3612
+
+    Jiri Pirko discovered a typo in the initialization of a structure in
+    the netlink subsystem that may allow local users to gain access to
+    sensitive kernel memory.
+
+CVE-2009-3620
+
+    Ben Hutchings discovered an issue in the DRM manager for ATI Rage 128
+    graphics adapters. Local users may be able to exploit this
+    vulnerability to cause a denial of service (NULL pointer dereference).
+
+CVE-2009-3621
+
+    Tomoki Sekiyama discovered a deadlock condition in the UNIX domain
+    socket implementation. Local users can exploit this vulnerability
+    to cause a denial of service (system hang).
+
+CVE-2009-3638
+
+    David Wagner reported an overflow in the KVM subsystem on i386
+    systems. This issue is exploitable by local users with access
+    to the /dev/kvm device file.
+
+For the stable distribution (lenny), this problem has been fixed in
+version 2.6.26-19lenny2.
+
+For the oldstable distribution (etch), these problems, where
+applicable, will be fixed in updates to linux-2.6 and linux-2.6.24.
+
+We recommend that you upgrade your linux-2.6 and user-mode-linux
+packages.
+
+Note: Debian carefully tracks all known security issues across every
+linux kernel package in all releases under active security support.
+However, given the high frequency at which low-severity security
+issues are discovered in the kernel and the resource requirements of
+doing an update, updates for lower priority issues will normally not
+be released for all kernels at the same time. Rather, they will be
+released in a staggered or "leap-frog" fashion.
+
+The following matrix lists additional source packages that were rebuilt for
+compatibility with or to take advantage of this update:
+
+                                             Debian 5.0 (lenny)
+     user-mode-linux                         2.6.26-1um-2+19lenny2
+
+Upgrade instructions
+--------------------
+
+wget url
+        will fetch the file for you
+dpkg -i file.deb
+        will install the referenced file.
+
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
+
+apt-get update
+        will update the internal database
+apt-get upgrade
+        will install corrected packages
+
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
+
+Debian GNU/Linux 5.0 alias lenny
+--------------------------------
+
+Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
+
+
+
+  These files will probably be moved into the stable distribution on
+  its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ stable/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
+Mailing list: debian-security-announce at lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

More information about the kernel-sec-discuss mailing list