[kernel-sec-discuss] r1545 - dsa-texts

Dann Frazier dannf at alioth.debian.org
Fri Oct 23 00:06:15 UTC 2009 

Author: dannf
Date: 2009-10-23 00:05:51 +0000 (Fri, 23 Oct 2009)
New Revision: 1545

Modified:
   dsa-texts/2.6.26-19lenny1
Log:
reference mmap_min_addr wiki, move "other packages" section as requested by web team

Modified: dsa-texts/2.6.26-19lenny1
===================================================================
--- dsa-texts/2.6.26-19lenny1	2009-10-22 21:58:42 UTC (rev 1544)
+++ dsa-texts/2.6.26-19lenny1	2009-10-23 00:05:51 UTC (rev 1545)
@@ -1,7 +1,7 @@
 ----------------------------------------------------------------------
-Debian Security Advisory DSA-XXXX-1                security at debian.org
+Debian Security Advisory DSA-1915-1                security at debian.org
 http://www.debian.org/security/                           dann frazier
-October 21, 2009                    http://www.debian.org/security/faq
+October 22, 2009                    http://www.debian.org/security/faq
 ----------------------------------------------------------------------
 
 Package        : linux-2.6
@@ -12,6 +12,16 @@
                  CVE-2009-2910 CVE-2009-3001 CVE-2009-3002 CVE-2009-3286
                  CVE-2009-3290 CVE-2009-3613
 
+Notice: Debian 5.0.4, the next point release of Debian 'lenny',
+will include a new default value for the mmap_min_addr tunable.
+This change will add an additional safeguard against a class of security
+vulnerabilities known as "NULL pointer dereference" vulnerabilities, but
+it will need to be overridden when using certain applications.
+Additional information about this change, including instructions for
+making this change locally in advance of 5.0.4 (recommended), can be
+found at:
+  http://wiki.debian.org/mmap_min_addr
+
 Several vulnerabilities have been discovered in the Linux kernel that
 may lead to a denial of service, sensitive memory leak or privilege escalation.
 The Common Vulnerabilities and Exposures project identifies the following
@@ -23,14 +33,6 @@
     provided by the mmap_min_addr tunable against NULL pointer
     dereference vulnerabilities.
 
-    Unless your system needs to run applications that require mapping
-    low addresses (such as wine or dosemu), it is recommended to
-    increase the value of mmap_min_addr to protect against NULL
-    pointer exploits.  This can be configured using the procps
-    package:
-      # echo "vm.mmap_min_addr = 32768" > /etc/sysctl.d/mmap_min_addr.conf
-      # /etc/init.d/procps restart
-
 CVE-2009-2903
 
     Mark Smith discovered a memory leak in the appletalk
@@ -107,6 +109,12 @@
 be released for all kernels at the same time. Rather, they will be
 released in a staggered or "leap-frog" fashion.
 
+The following matrix lists additional source packages that were rebuilt for
+compatibility with or to take advantage of this update:
+
+                                             Debian 5.0 (lenny)
+     user-mode-linux                         2.6.26-1um-2+19lenny1
+
 Upgrade instructions
 --------------------
 
@@ -123,12 +131,6 @@
 apt-get upgrade
         will install corrected packages
 
-The following matrix lists additional source packages that were rebuilt for
-compatibility with or to take advantage of this update:
-
-                                             Debian 5.0 (lenny)
-     user-mode-linux                         2.6.26-1um-2+19lenny1
-
 You may use an automated update by adding the resources from the
 footer to the proper configuration.

More information about the kernel-sec-discuss mailing list