[kernel-sec-discuss] r4616 - dsa-texts

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sat Sep 3 13:07:02 UTC 2016 

Author: carnil
Date: 2016-09-03 13:07:02 +0000 (Sat, 03 Sep 2016)
New Revision: 4616

Modified:
   dsa-texts/3.16.36-1+deb8u1
Log:
dd DSA text based on Ben's text for the corresponding DLA in wheezy

Modified: dsa-texts/3.16.36-1+deb8u1
===================================================================
--- dsa-texts/3.16.36-1+deb8u1	2016-09-03 13:07:01 UTC (rev 4615)
+++ dsa-texts/3.16.36-1+deb8u1	2016-09-03 13:07:02 UTC (rev 4616)
@@ -11,27 +11,58 @@
 Package        : linux
 CVE ID         : CVE-2016-5696 CVE-2016-6136 CVE-2016-6480 CVE-2016-6828
 
+Several vulnerabilities have been discovered in the Linux kernel that
+may lead to a privilege escalation, denial of service or have other
+impacts.
 
-Brief introduction 
-
 CVE-2016-5696
 
-    Description
+    Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.
+    Krishnamurthy of the University of California, Riverside; and Lisa
+    M. Marvel of the United States Army Research Laboratory discovered
+    that Linux's implementation of the TCP Challenge ACK feature
+    results in a side channel that can be used to find TCP connections
+    between specific IP addresses, and to inject messages into those
+    connections.
 
+    Where a service is made available through TCP, this may allow
+    remote attackers to impersonate another connected user to the
+    server or to impersonate the server to another connected user.  In
+    case the service uses a protocol with message authentication
+    (e.g. TLS or SSH), this vulnerability only allows denial of
+    service (connection failure).  An attack takes tens of seconds, so
+    short-lived TCP connections are also unlikely to be vulnerable.
+
+    This may be mitigated by increasing the rate limit for TCP
+    Challenge ACKs so that it is never exceeded:
+        sysctl net.ipv4.tcp_challenge_ack_limit=1000000000
+
 CVE-2016-6136
 
-    Description
+    Pengfei Wang discovered that the audit subsystem has a
+    'double-fetch' or 'TOCTTOU' bug in its handling of special
+    characters in the name of an executable.  Where audit logging of
+    execve() is enabled, this allows a local user to generate
+    misleading log messages.
 
 CVE-2016-6480
 
-    Description
+    Pengfei Wang discovered that the aacraid driver for Adaptec RAID
+    controllers has a 'double-fetch' or 'TOCTTOU' bug in its
+    validation of 'FIB' messages passed through the ioctl() system
+    call.  This has no practical security impact in current Debian
+    releases.
 
 CVE-2016-6828
 
-    Description
+    Marco Grassi reported a 'use-after-free' bug in the TCP
+    implementation, which can be triggered by local users.  The
+    security impact is unclear, but might include denial of service or
+    privilege escalation.
 
 For the stable distribution (jessie), these problems have been fixed in
-version 3.16.36-1+deb8u1.
+version 3.16.36-1+deb8u1. In addition, this update contains several
+changes originally targeted for the upcoming jessie point release.
 
 We recommend that you upgrade your linux packages.

More information about the kernel-sec-discuss mailing list