[kernel-sec-discuss] r1742 - dsa-texts
Dann Frazier
dannf at alioth.debian.org
Tue Feb 23 00:21:00 UTC 2010
Author: dannf
Date: 2010-02-23 00:20:57 +0000 (Tue, 23 Feb 2010)
New Revision: 1742
Added:
dsa-texts/2.6.18.dfsg.1-26etch2
Log:
new text
Copied: dsa-texts/2.6.18.dfsg.1-26etch2 (from rev 1741, dsa-texts/2.6.18.dfsg.1-26etch1)
===================================================================
--- dsa-texts/2.6.18.dfsg.1-26etch2 (rev 0)
+++ dsa-texts/2.6.18.dfsg.1-26etch2 2010-02-23 00:20:57 UTC (rev 1742)
@@ -0,0 +1,136 @@
+----------------------------------------------------------------------
+Debian Security Advisory DSA-XXXX-1 security at debian.org
+http://www.debian.org/security/ Dann Frazier
+February 23, 2010 http://www.debian.org/security/faq
+----------------------------------------------------------------------
+
+Package : linux-2.6
+Vulnerability : privilege escalation/denial of service
+Problem type : local/remote
+Debian-specific: no
+CVE Id(s) : CVE-2009-3080 CVE-2009-3726 CVE-2009-4005 CVE-2009-4020
+ CVE-2009-4021 CVE-2009-4536 CVE-2010-0007 CVE-2010-0410
+ CVE-2010-0415 CVE-2010-0622
+
+Several vulnerabilities have been discovered in the Linux kernel that
+may lead to a denial of service or privilege escalation. The Common
+Vulnerabilities and Exposures project identifies the following problems:
+
+CVE-2009-3080
+
+ Dave Jones reported an issue in the gdth SCSI driver. A missing
+ check for negative offsets in ioctl called could be exploited
+ by local users to create a denial of service or potentially gain
+ elevated privileges.
+
+CVE-2009-3726
+
+ Trond Myklebust reported an issue where a malicious NFS server
+ could cause a denial of service condition on its clients by
+ returning incorrect attributes during an open call.
+
+CVE-2009-4005
+
+ Roel Kluin discovered an issue in the hfc_usb driver, an ISDN driver
+ for Colognechip HFC-S USB chip. A potential read overflow exists which
+ may allow remote users to cause a denial of service condition (oops).
+
+
+CVE-2009-4020
+
+ Amerigo Wang discovered an issue in the HFS filesystem that would
+ allow a denial of service by a local user who has sufficient privileges
+ to mount a specially crafted filesystem.
+
+CVE-2009-4021
+
+ Anana V. Avati discovered an issue in the fuse subsystem. If the
+ system is sufficiently low on memory, a local user can cause the
+ kernel to dereference an invalid pointer resulting in a denial of
+ service (oops) and potentially an escalation of privileges.
+
+CVE-2009-4536
+
+ Fabian Yamaguchi reported an issue in the e1000 driver for Intel
+ gigabit network adapters which allow remote users to bypass packet
+ filters using specially crafted ethernet frames.
+
+CVE-2010-0007
+
+ Florian Westphal reported a lack of capability checking in the
+ ebtables netfilter subsystem. If the ebtables module is loaded,
+ local users can add and modify ebtables rules.
+
+CVE-2010-0410
+
+ Sebastian Krahmer discovered an issue in the netlink connector
+ subsystem that permits local users to allocate large amounts of
+ system memory resulting in a denial of service (out of memory).
+
+CVE-2010-0415
+
+ Ramon de Carvalho Valle discovered an issue in the sys_move_pages
+ interface, limited to amd64, ia64 and powerpc64 flavors in Debian.
+ Local users can exploit this issue to cause a denial of service
+ (system crash) or gain access to sensitive kernel memory.
+
+CVE-2010-0622
+
+ Jermome Marchand reported an issue in the futex subsystem
+ that allows a local user to force an invalid futex state
+ which results in a denial of service (oops).
+
+For the oldstable distribution (etch), this problem has been fixed in
+version 2.6.18.dfsg.1-26etch2.
+
+We recommend that you upgrade your linux-2.6, fai-kernels, and
+user-mode-linux packages.
+
+Note: Debian 'etch' includes linux kernel packages based upon both the
+2.6.18 and 2.6.24 linux releases. All known security issues are
+carefully tracked against both packages and both packages will receive
+security updates until security support for Debian 'etch'
+concludes. However, given the high frequency at which low-severity
+security issues are discovered in the kernel and the resource
+requirements of doing an update, lower severity 2.6.18 and 2.6.24
+updates will typically release in a staggered or "leap-frog" fashion.
+
+The following matrix lists additional source packages that were rebuilt for
+compatability with or to take advantage of this update:
+
+ Debian 4.0 (etch)
+ fai-kernels 1.17+etch.26etch2
+ user-mode-linux 2.6.18-1um-2etch.26etch2
+
+Upgrade instructions
+--------------------
+
+wget url
+ will fetch the file for you
+dpkg -i file.deb
+ will install the referenced file.
+
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
+
+apt-get update
+ will update the internal database
+apt-get upgrade
+ will install corrected packages
+
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
+
+Debian GNU/Linux 4.0 alias etch
+-------------------------------
+
+Oldstable updates are available for alpha, [...]
+
+ These changes will probably be included in the oldstable distribution on
+ its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ stable/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
+Mailing list: debian-security-announce at lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
More information about the kernel-sec-discuss
mailing list