[kernel-sec-discuss] r2683 - dsa-texts
Dann Frazier
dannf at alioth.debian.org
Thu May 10 15:36:33 UTC 2012
Author: dannf
Date: 2012-05-10 15:36:32 +0000 (Thu, 10 May 2012)
New Revision: 2683
Added:
dsa-texts/2.6.32-44
Log:
new dsa text
Copied: dsa-texts/2.6.32-44 (from rev 2682, dsa-texts/2.6.32-41squeeze2)
===================================================================
--- dsa-texts/2.6.32-44 (rev 0)
+++ dsa-texts/2.6.32-44 2012-05-10 15:36:32 UTC (rev 2683)
@@ -0,0 +1,75 @@
+----------------------------------------------------------------------
+Debian Security Advisory DSA-2469-1 security at debian.org
+http://www.debian.org/security/ Dann Frazier
+May 10, 2012 http://www.debian.org/security/faq
+----------------------------------------------------------------------
+
+Package : linux-2.6
+Vulnerability : privilege escalation/denial of service
+Problem type : local
+Debian-specific: no
+CVE Id(s) : CVE-2011-4086 CVE-2012-0879 CVE-2012-1601 CVE-2012-2123
+ CVE-2012-2133
+
+Several vulnerabilities have been discovered in the Linux kernel that may lead
+to a denial of service or privilege escalation. The Common Vulnerabilities and
+Exposures project identifies the following problems:
+
+CVE-2011-4086
+
+ Eric Sandeen reported an issue in the journaling layer for EXT4 filesystems
+ (jbd2). Local users can cause buffers to be accessed after they have been
+ torn down, resulting in a denial of service (DoS) due to a system crash.
+
+CVE-2012-0879
+
+ Louis Rilling reported two reference counting issues in the CLONE_IO
+ feature of the kernel. Local users can prevent io context structures
+ from being freed, resulting in a denial of service.
+
+CVE-2012-1601
+
+ Michael Ellerman reported an issue in the KVM subsystem. Local users could
+ cause a denial of service (NULL pointer dereference) by creating VCPUs
+ before a call to KVM_CREATE_IRQCHIP.
+
+CVE-2012-2123
+
+ Steve Grubb reported in an issue in fcaps, a filesystem-based capabilities
+ system. Personality flags set using this mechanism, such as the disabling
+ of address space randomization, may persist across suid calls.
+
+CVE-2012-2133
+
+ Shachar Raindel discovered a use-after-free bug in the hugepages
+ quota implementation. Local users with permission to use hugepages
+ via the hugetlbfs implementation may be able to cause a denial of
+ service (system crash).
+
+For the stable distribution (squeeze), this problem has been fixed in version
+2.6.32-44. Updates are currently only available for the amd64, i386 and sparc
+ports.
+
+NOTE: Updated linux-2.6 packages will also be made available in the release
+of Debian 6.0.5, scheduled to take place the weekend of 2012.05.12. This
+pending update will be version 2.6.32-45, and provides an additional fix for
+build failures on some architectures. Users for whom this update is not
+critical, and who may wish to avoid multiple reboots, should consider waiting
+for the 6.0.5 release before updating, or installing the 2.6.32-45 version
+ahead of time from proposed-updates.
+
+The following matrix lists additional source packages that were rebuilt for
+compatibility with or to take advantage of this update:
+
+ Debian 6.0 (squeeze)
+ user-mode-linux 2.6.32-1um-4+44
+
+We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
+
+Thanks to Micah Anderson for proof reading this text.
+
+Further information about Debian Security Advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: http://www.debian.org/security/
+
+Mailing list: debian-security-announce at lists.debian.org
More information about the kernel-sec-discuss
mailing list