[kernel-sec-discuss] r3099 - dsa-texts

Dann Frazier dannf at alioth.debian.org
Sat Sep 28 01:03:02 UTC 2013 

Author: dannf
Date: 2013-09-28 01:02:40 +0000 (Sat, 28 Sep 2013)
New Revision: 3099

Added:
   dsa-texts/2.6.32-48squeeze4
Modified:
   dsa-texts/3.2.41-2+deb7u2
Log:
add new text

Added: dsa-texts/2.6.32-48squeeze4
===================================================================
--- dsa-texts/2.6.32-48squeeze4	                        (rev 0)
+++ dsa-texts/2.6.32-48squeeze4	2013-09-28 01:02:40 UTC (rev 3099)
@@ -0,0 +1,105 @@
+----------------------------------------------------------------------
+Debian Security Advisory DSA-2766-1                security at debian.org
+http://www.debian.org/security/                           Dann Frazier
+September 27, 2013                  http://www.debian.org/security/faq
+----------------------------------------------------------------------
+
+Package        : linux-2.6
+Vulnerability  : privilege escalation/denial of service/information leak
+Problem type   : local/remote
+Debian-specific: no
+CVE Id(s)      : CVE-2013-2141 CVE-2013-2164 CVE-2013-2206 CVE-2013-2232
+                 CVE-2013-2234 CVE-2013-2237 CVE-2013-2239 CVE-2013-2851
+                 CVE-2013-2852 CVE-2013-2888 CVE-2013-2892
+
+Several vulnerabilities have been discovered in the Linux kernel that may lead
+to a denial of service, information leak or privilege escalation. The Common
+Vulnerabilities and Exposures project identifies the following problems:
+
+CVE-2013-2141
+
+    Emese Revfy provided a fix for an information leak in the tkill and
+    tgkill system calls. A local user on a 64-bit system maybe able to
+    gain access to sensitive memory contents.
+
+CVE-2013-2164
+
+    Jonathan Salwan reported an information leak in the CD-ROM driver. A
+    local user on a system with a malfunctioning CD-ROM drive could gain
+    access to sensitive memory.
+
+CVE-2013-2206
+
+    Karl Heiss reported an issue in the Linux SCTP implementation. A remote
+    user could cause a denial of service (system crash).
+
+CVE-2013-2232
+
+    Dave Jones and Hannes Frederic Sowa resolved an issue in the IPv6
+    subsystem. Local users could cause a denial of service by using an
+    AF_INET6 socket to connect to an IPv4 destination.
+
+CVE-2013-2234
+
+    Mathias Krause reported a memory leak in the implementation of PF_KEYv2
+    sockets. Local users could gain access to sensitive kernel memory.
+
+CVE-2013-2237
+
+    Nicolas Dichtel reported a memory leak in the implementation of PF_KEYv2
+    sockets. Local users could gain access to sensitive kernel memory.
+
+CVE-2013-2239
+
+    Jonathan Salwan discovered multiple memory leaks in the openvz kernel
+    flavor. Local users could gain access to sensitive kernel memory.
+
+CVE-2013-2851
+
+    Kees Cook reported an issue in the block subsystem. Local users with
+    uid 0 could gain elevated ring 0 privileges. This is only a security
+    issue for certain specially configured systems.
+
+CVE-2013-2852
+
+    Kees Cook reported an issue in the b43 network driver for certain Broadcom
+    wireless devices. Local users with uid 0 could gain elevated ring 0 
+    privileges. This is only a security issue for certain specially configured
+    systems.
+
+CVE-2013-2888
+
+    Kees Cook reported an issue in the HID driver subsystem. A local user,
+    with the ability to attach a device, could cause a denial of service
+    (system crash).
+
+CVE-2013-2892
+
+    Kees Cook reported an issue in the pantherlord HID device driver. Local
+    users with the ability to attach a device could cause a denial of service
+    or possibly gain elevated privileges.
+
+For the oldstable distribution (squeeze), this problem has been fixed in
+version 2.6.32-48squeeze4.
+
+The following matrix lists additional source packages that were rebuilt for
+compatibility with or to take advantage of this update:
+
+                                             Debian 6.0 (squeeze)
+     user-mode-linux                         2.6.32-1um-4+48squeeze4
+
+We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
+
+Note: Debian carefully tracks all known security issues across every
+linux kernel package in all releases under active security support.
+However, given the high frequency at which low-severity security
+issues are discovered in the kernel and the resource requirements of
+doing an update, updates for lower priority issues will normally not
+be released for all kernels at the same time. Rather, they will be
+released in a staggered or "leap-frog" fashion.
+
+Further information about Debian Security Advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: http://www.debian.org/security/
+
+Mailing list: debian-security-announce at lists.debian.org

Modified: dsa-texts/3.2.41-2+deb7u2
===================================================================
--- dsa-texts/3.2.41-2+deb7u2	2013-09-27 12:28:06 UTC (rev 3098)
+++ dsa-texts/3.2.41-2+deb7u2	2013-09-28 01:02:40 UTC (rev 3099)
@@ -119,6 +119,10 @@
 For the stable distribution (wheezy), this problem has been fixed in version
 3.2.41-2+deb7u1.
 
+Note: Updates are currently available for the amd64, i386, ia64, s390, s390x
+and sparc architectures. Updates for the remaining architectures will be
+released as they become available.
+
 The following matrix lists additional source packages that were rebuilt for
 compatibility with or to take advantage of this update:

More information about the kernel-sec-discuss mailing list