[kernel-sec-discuss] r1722 - dsa-texts

Dann Frazier dannf at alioth.debian.org
Thu Feb 11 06:34:57 UTC 2010


Author: dannf
Date: 2010-02-11 06:34:51 +0000 (Thu, 11 Feb 2010)
New Revision: 1722

Added:
   dsa-texts/2.6.26-21lenny3
Log:
new text


Copied: dsa-texts/2.6.26-21lenny3 (from rev 1719, dsa-texts/2.6.26-19lenny2)
===================================================================
--- dsa-texts/2.6.26-21lenny3	                        (rev 0)
+++ dsa-texts/2.6.26-21lenny3	2010-02-11 06:34:51 UTC (rev 1722)
@@ -0,0 +1,149 @@
+----------------------------------------------------------------------
+Debian Security Advisory DSA-XXXX-1                security at debian.org
+http://www.debian.org/security/                           dann frazier
+February XX, 2010                   http://www.debian.org/security/faq
+----------------------------------------------------------------------
+
+Package        : linux-2.6
+Vulnerability  : privilege escalation/denial of service/sensitive memory leak
+Problem type   : local/remote
+Debian-specific: no
+CVE Id(s)      : CVE-2009-3939 CVE-2009-4027 CVE-2009-4536 CVE-2009-4538
+                 CVE-2010-0003 CVE-2010-0007 CVE-2010-0291 CVE-2010-0298
+                 CVE-2010-0306 CVE-2010-0307 CVE-2010-0309 CVE-2010-0410
+                 CVE-2010-0415
+                 
+Several vulnerabilities have been discovered in the Linux kernel that
+may lead to a denial of service, sensitive memory leak or privilege
+escalation.  The Common Vulnerabilities and Exposures project
+identifies the following problems:
+
+CVE-2009-3939
+
+    Joseph Malicki reported that the dbg_lvl sysfs attribute for the
+    megaraid_sas device driver had world-writeable permissions, permitting
+    local users to modify logging settings.
+
+CVE-2009-4027
+
+    Lennert Buytenhek reported a race in the mac80211 subsystem that may allow
+    remote users to cause a denial of service (system crash) on a system
+    connected to the same wireless network.
+
+CVE-2009-4536
+CVE-2009-4538
+
+    Fabian Yamaguchi reported issues in the e1000 and e1000e drivers for Intel
+    gigabit network adapters which allow remote users to bypass packet filters
+    using specially crafted ethernet frames.
+    
+CVE-2010-0003
+
+    Andi Kleen reported a defect which allows local users to gain read
+    access to memory reachable by the kernel when the print-fatal-signals
+    option is enabled. This option is disabled by default.
+
+CVE-2010-0007
+
+    Florian Westphal reported a lack of capability checking in the ebtables
+    netfilter subsystem. If the ebtables module is loaded, local users can
+    add and modify ebtables rules.
+
+CVE-2010-0291
+
+    Al Viro reported several issues with the mmap/mremap system calls that
+    allow local users to cause a denial of service (system panic) or obtain
+    elevated privileges.
+
+CVE-2010-0298
+CVE-2010-0306
+
+    Gleb Natapov discovered issues in the KVM subsystem where missing
+    permission checks (CPL/IOPL) permit a user in a guest system to denial
+    of service a guest (system crash) or gain escalated privileges with
+    the guest.
+
+CVE-2010-0307
+
+    Mathias Krause reported an issue with the load_elf_binary code on
+    the amd64 flavor kernels that allows local users to cause a denial
+    of service (system crash).
+
+CVE-2010-0309
+
+    Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM
+    subsystem that allows privileged users in a guest domain to cause a
+    denial of service (crash) of the host system.
+
+CVE-2010-0410
+
+     Sebastian Krahmer discovered an issue in the netlink connector subsystem
+     that permits local users to allocate large amounts of system memory
+     resulting in a denial of service (out of memory).
+
+CVE-2010-0415
+
+    Ramon de Carvalho Valle discovered an issue in the sys_move_pages
+    interface, limited to amd64, ia64 and powerpc64 flavors in Debian.
+    Local users can exploit this issue to cause a denial of service
+    (system crash) or gain access to sensitive kernel memory.
+
+For the stable distribution (lenny), this problem has been fixed in
+version 2.6.26-21lenny3.
+
+For the oldstable distribution (etch), these problems, where
+applicable, will be fixed in updates to linux-2.6 and linux-2.6.24.
+
+We recommend that you upgrade your linux-2.6 and user-mode-linux
+packages.
+
+Note: Debian carefully tracks all known security issues across every
+linux kernel package in all releases under active security support.
+However, given the high frequency at which low-severity security
+issues are discovered in the kernel and the resource requirements of
+doing an update, updates for lower priority issues will normally not
+be released for all kernels at the same time. Rather, they will be
+released in a staggered or "leap-frog" fashion.
+
+The following matrix lists additional source packages that were
+rebuilt for compatibility with or to take advantage of this update:
+
+                                             Debian 5.0 (lenny)
+     user-mode-linux                         2.6.26-1um-2+19lenny3
+
+Upgrade instructions
+--------------------
+
+wget url
+        will fetch the file for you
+dpkg -i file.deb
+        will install the referenced file.
+
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
+
+apt-get update
+        will update the internal database
+apt-get upgrade
+        will install corrected packages
+
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
+
+Debian GNU/Linux 5.0 alias lenny
+--------------------------------
+
+Stable updates are available for XXXX. Updates for other architectures
+will be released as they become available.
+
+Source archives:
+[...]
+
+  These files will probably be moved into the stable distribution on
+  its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ stable/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
+Mailing list: debian-security-announce at lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>




More information about the kernel-sec-discuss mailing list