r4615 - people/dannf

Sun Oct 23 16:01:16 UTC 2005

Author: dannf
Date: 2005-10-23 16:01:15 +0000 (Sun, 23 Oct 2005)
New Revision: 4615

Modified:
   people/dannf/2.4.27-10sarge1
   people/dannf/2.6.8-16sarge1.dsa
Log:
update w/ new CVE ids

Modified: people/dannf/2.4.27-10sarge1
===================================================================

--- people/dannf/2.4.27-10sarge1	2005-10-23 14:32:00 UTC (rev 4614)
+++ people/dannf/2.4.27-10sarge1	2005-10-23 16:01:15 UTC (rev 4615)
@@ -12,9 +12,10 @@
 Vulnerability  : multiple
 Problem type   : remote, local, DoS
 Debian-specific: no
-CVE Id(s)      : CAN-2005-1768 CAN-2005-0757 CAN-2005-1762 CAN-2005-0756
-		 CAN-2005-2456 CAN-2005-2801 CAN-2005-2872 CAN-2005-1767
-		 CAN-2005-2458 CAN-2005-2459
+CVE Id(s)      : CAN-2005-1768 CAN-2005-0757 CAN-2005-1762
+		 CAN-2005-0756 CAN-2005-3275 CAN-2005-2456
+		 CAN-2005-2801 CAN-2005-2872 CAN-2005-1767
+		 CAN-2005-2458 CAN-2005-2459 CAN-2005-2553
 
 Multiple security vulnerabilities have been identified in the Linux 2.4 kernel.
 These vulnerabilities could allow an attacker to execute arbitrary code or
@@ -49,10 +50,17 @@
 	platform, which allows local users to cause a denial of service (kernel
 	crash)
 
-NO-CAN (172_ppc32-time_offset-misuse.diff)
+NO-CAN (172_ppc32-time_offset-misuse.diff) - not believed to be a security issue
 
-CAN-REQUESTED (174_net-ipv4-netfilter-nat-mem.diff)
+CAN-2005-3275 (174_net-ipv4-netfilter-nat-mem.diff)
 
+	A potential memory corruption bug exists in the NAT code in Linux
+	kernels prior to 2.6.13 and 2.4.32-rc1.  The portptr pointing to the
+	port in the conntrack tuple is declared static, which could result in
+	memory corruption when two packets of the same protocol are NATed at
+	the same time and one conntrack goes away.  A malicious machine on the
+	same network could potentially use this to initiate a DoS attack.
+
 CAN-2005-2456 (176_ipsec-array-overflow.diff)
 
 	Array index overflow in the xfrm_sk_policy_insert function in
@@ -96,5 +104,10 @@
 	compressed file that leads to a null pointer dereference, a different
 	vulnerability than CAN-2005-2458.
 
-CAN-REQUESTED (184_arch-x86_64-ia32-ptrace32-oops.diff)
+CAN-2005-2553 (184_arch-x86_64-ia32-ptrace32-oops.diff)
 
+	The find_target function in ptrace32.c in the Linux kernel 2.4.x
+	before 2.4.29 does not properly handle a NULL return value from another
+	function, which allows local users to cause a denial of service (kernel
+	crash/oops) by running a 32-bit ltrace program with the -i option on a 64-bit
+	executable program.

Modified: people/dannf/2.6.8-16sarge1.dsa
===================================================================
--- people/dannf/2.6.8-16sarge1.dsa	2005-10-23 14:32:00 UTC (rev 4614)
+++ people/dannf/2.6.8-16sarge1.dsa	2005-10-23 16:01:15 UTC (rev 4615)
@@ -17,7 +17,8 @@
 		 CAN-2005-1265 CAN-2005-0757 CAN-2005-1765 CAN-2005-1761
 		 CAN-2005-2548 CAN-2004-2302 CAN-2005-1767 CAN-2005-2458
 		 CAN-2005-2459 CAN-2005-2456 CAN-2005-2872 CAN-2005-2801
-		 CAN-2005-3110
+ 		 CAN-2005-3110 CAN-2005-3271 CAN-2005-3272 CAN-2005-3272
+		 CAN-2005-3273 CAN-2005-3274 CAN-2005-3275 CAN-2005-3276
 
 Multiple security vulnerabilities have been identified in the Linux kernel.
 These vulnerabilities could allow an attacker to execute arbitrary code or
@@ -167,9 +168,13 @@
 
 NO-CAN (arch-x86_64-kernel-smp-boot-race.dpatch)
 
-CAN-REQUESTED [fs-exec-posix-timers-leak-1.dpatch]
+CAN-2005-3271 [fs-exec-posix-timers-leak-1.dpatch]
 
-	Make exec clean up posix timers.
+	Exec in Linux kernel 2.6 does not properly clear posix-timers in
+	multi-threaded environments, which results in a resource leak and
+	could allow a large number of multiple local users to cause a denial
+	of service by using more posix-timers than specified by the quota for
+	a single user.
 
 NO-CAN [fs-exec-posix-timers-leak-2.dpatch]
 
@@ -180,34 +185,51 @@
 NO-CAN [net-bridge-mangle-oops-1.dpatch]
 NO-CAN [net-bridge-mangle-oops-2.dpatch]
 
-CAN-REQUESTED [net-bridge-forwarding-poison-1.dpatch]
-CAN-REQUESTED [net-bridge-forwarding-poison-2.dpatch]
+CAN-2005-3272 [net-bridge-forwarding-poison-1.dpatch]
+CAN-2005-3272 [net-bridge-forwarding-poison-2.dpatch]
 
-	Avoid poisoning of the bridge forwarding table by frames that have been
-	dropped by filtering. This prevents spoofed source addresses on hostile
-	side of bridge from causing packet leakage, a small but possible
-	security risk.
+	Linux kernel before 2.6.12 allows remote attackers to poison the
+	bridge forwarding table using frames that have already been dropped by
+	filtering, which can cause the bridge to forward spoofed packets.
 
+CAN-2005-3273 [net-rose-ndigis-verify.dpatch]
 
-CAN-REQUESTED [net-rose-ndigis-verify.dpatch]
+	The rose_rt_ioctl function in rose_route.c for ROSE in Linux 2.6
+	kernels prior to 2.6.12 does not properly verify the ndigis argument
+	for a new route, which allows attackers to trigger array out-of-bounds
+	errors with a large number of digipeats.
 
-	Verify ndigis argument of a new route.
-
 NO-CAN [sound-usb-usbaudio-unplug-oops.dpatch] - not believed to be a security issue
 
 	Prevent oops & dead keyboard on usb unplugging while the device is being
 	used.
 
-CAN-REQUESTED [net-ipv4-ipvs-conn_tab-race.dpatch]
+CAN-2005-3274 [net-ipv4-ipvs-conn_tab-race.dpatch]
 
-	Fix race condition on ip_vs_conn_tab list modification
+	Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4
+	before 2.4.32-pre2, when running on SMP systems, allows local users to
+	cause a denial of service (null dereference) by causing a connection
+	timer to expire while the connection table is being flushed before the
+	appropriate lock is acquired.
 
 NO-CAN [net-netlink-autobind-return.dpatch] not believed to be a security bug
 
 NO-CAN [ppc32-time_offset-misuse.dpatch] not believed to be a security issue
 
-CAN-REQUESTED [netfilter-NAT-memory-corruption.dpatch]
+CAN-2005-3275 [netfilter-NAT-memory-corruption.dpatch]
 
+	The NAT code (1) ip_nat_proto_tcp.c and (2) ip_nat_proto_udp.c in
+	Linux kernel 2.6 before 2.6.13 and 2.4 before 2.4.32-rc1 incorrectly
+	declares a variable to be static, which allows remote attackers to
+	cause a denial of service (memory corruption) by causing two packets
+	for the same protocol to be NATed at the same time, which leads to
+	memory corruption.
+
 NO-CAN [netfilter-ip_conntrack_untracked-refcount.dpatch]
 
-CAN-REQUESTED [sys_get_thread_area-leak.dpatch]
+CAN-2005-3276 [sys_get_thread_area-leak.dpatch]
+
+	The sys_get_thread_area function in process.c in Linux 2.6 before
+	2.6.12.4 and 2.6.13 does not clear a data structure before copying it
+	to userspace, which might allow a user process to obtain sensitive
+	information.


