[kernel-sec-discuss] r4616 - dsa-texts
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Sat Sep 3 13:07:02 UTC 2016
Author: carnil
Date: 2016-09-03 13:07:02 +0000 (Sat, 03 Sep 2016)
New Revision: 4616
Modified:
dsa-texts/3.16.36-1+deb8u1
Log:
dd DSA text based on Ben's text for the corresponding DLA in wheezy
Modified: dsa-texts/3.16.36-1+deb8u1
===================================================================
--- dsa-texts/3.16.36-1+deb8u1 2016-09-03 13:07:01 UTC (rev 4615)
+++ dsa-texts/3.16.36-1+deb8u1 2016-09-03 13:07:02 UTC (rev 4616)
@@ -11,27 +11,58 @@
Package : linux
CVE ID : CVE-2016-5696 CVE-2016-6136 CVE-2016-6480 CVE-2016-6828
+Several vulnerabilities have been discovered in the Linux kernel that
+may lead to a privilege escalation, denial of service or have other
+impacts.
-Brief introduction
-
CVE-2016-5696
- Description
+ Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.
+ Krishnamurthy of the University of California, Riverside; and Lisa
+ M. Marvel of the United States Army Research Laboratory discovered
+ that Linux's implementation of the TCP Challenge ACK feature
+ results in a side channel that can be used to find TCP connections
+ between specific IP addresses, and to inject messages into those
+ connections.
+ Where a service is made available through TCP, this may allow
+ remote attackers to impersonate another connected user to the
+ server or to impersonate the server to another connected user. In
+ case the service uses a protocol with message authentication
+ (e.g. TLS or SSH), this vulnerability only allows denial of
+ service (connection failure). An attack takes tens of seconds, so
+ short-lived TCP connections are also unlikely to be vulnerable.
+
+ This may be mitigated by increasing the rate limit for TCP
+ Challenge ACKs so that it is never exceeded:
+ sysctl net.ipv4.tcp_challenge_ack_limit=1000000000
+
CVE-2016-6136
- Description
+ Pengfei Wang discovered that the audit subsystem has a
+ 'double-fetch' or 'TOCTTOU' bug in its handling of special
+ characters in the name of an executable. Where audit logging of
+ execve() is enabled, this allows a local user to generate
+ misleading log messages.
CVE-2016-6480
- Description
+ Pengfei Wang discovered that the aacraid driver for Adaptec RAID
+ controllers has a 'double-fetch' or 'TOCTTOU' bug in its
+ validation of 'FIB' messages passed through the ioctl() system
+ call. This has no practical security impact in current Debian
+ releases.
CVE-2016-6828
- Description
+ Marco Grassi reported a 'use-after-free' bug in the TCP
+ implementation, which can be triggered by local users. The
+ security impact is unclear, but might include denial of service or
+ privilege escalation.
For the stable distribution (jessie), these problems have been fixed in
-version 3.16.36-1+deb8u1.
+version 3.16.36-1+deb8u1. In addition, this update contains several
+changes originally targeted for the upcoming jessie point release.
We recommend that you upgrade your linux packages.
More information about the kernel-sec-discuss
mailing list