[kernel] r6787 - patch-tracking/dsa-texts
Dann Frazier
dannf at costa.debian.org
Sat Jun 10 06:16:11 UTC 2006
Author: dannf
Date: Sat Jun 10 06:16:06 2006
New Revision: 6787
Added:
patch-tracking/dsa-texts/2.4.27-sarge3
Modified:
patch-tracking/dsa-texts/2.6.8-sarge3
Log:
i think these are complete now
Added: patch-tracking/dsa-texts/2.4.27-sarge3
==============================================================================
--- (empty file)
+++ patch-tracking/dsa-texts/2.4.27-sarge3 Sat Jun 10 06:16:06 2006
@@ -0,0 +1,189 @@
+Subject: New Linux kernel 2.4.27 packages fix several issues
+
+--------------------------------------------------------------------------
+Debian Security Advisory DSA XXX-1 security at debian.org
+http://www.debian.org/security/ Dann Frazier, Troy Heber
+XXXXX 8th, 2005 http://www.debian.org/security/faq
+--------------------------------------------------------------------------
+
+Package : kernel-source-2.4.27
+Vulnerability : several
+Problem-Type : local/remote
+Debian-specific: no
+CVE ID : CVE-2006-0038 CVE-2006-0039 CVE-2006-0741 CVE-2006-0742
+ CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-1368
+ CVE-2006-1524 CVE-2006-1525 CVE-2006-1857 CVE-2006-1858
+ CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274
+Debian Bug :
+
+Several local and remote vulnerabilities have been discovered in the Linux
+kernel that may lead to a denial of service or the execution of arbitrary
+code. The Common Vulnerabilities and Exposures project identifies the
+following problems:
+
+CVE-2006-0038
+
+ "Solar Designer" discovered that arithmetic computations in netfilter's
+ do_replace() function can lead to a buffer overflow and the execution of
+ arbitrary code. However, the operation requires CAP_NET_ADMIN privileges,
+ which is only an issue in virtualization systems or fine grained access
+ control systems.
+
+CVE-2006-0039
+
+ "Solar Designer" discovered a race condition in netfilter's
+ do_add_counters() function, which allows information disclosure of kernel
+ memory by exploiting a race condition. Likewise, it requires CAP_NET_ADMIN
+ privileges.
+
+CVE-2006-0741
+
+ Intel EM64T systems were discovered to be susceptible to a local
+ DoS due to an endless recursive fault related to a bad elf entry
+ address.
+
+CVE-2006-0742
+
+ Alan and Gareth discovered that the ia64 platform had an
+ incorrectly declared die_if_kernel() function as "does never
+ return" which could be exploited by a local attacker resulting in
+ a kernel crash.
+
+CVE-2006-1056
+
+ AMD64 machines (and other 7th and 8th generation AuthenticAMD
+ processors) were found to be vulnerable to sensitive information
+ leakage, due to how they handle saving and restoring the FOP, FIP,
+ and FDP x87 registers in FXSAVE/FXRSTOR when an exception is
+ pending. This allows a process to determine portions of the state
+ of floating point instructions of other processes.
+
+CVE-2006-1242
+
+ Marco Ivaldi discovered that there was an unintended information
+ disclosure allowing remote attackers to bypass protections against
+ Idle Scans (nmap -sI) by abusing the ID field of IP packets and
+ bypassing the zero IP ID in DF packet countermeasure. This was a
+ result of the ip_push_pending_frames function improperly
+ incremented the IP ID field when sending a RST after receiving
+ unsolicited TCP SYN-ACK packets.
+
+CVE-2006-1343
+
+ Pavel Kankovsky reported the existance of a potential information leak
+ resulting from the failure to initialize sin.sin_zero in the IPv4 socket
+ code.
+
+CVE-2006-1368
+
+ Shaun Tancheff discovered a buffer overflow (boundry condition
+ error) in the USB Gadget RNDIS implementation allowing remote
+ attackers to cause a DoS. While creating a reply message, the
+ driver allocated memory for the reply data, but not for the reply
+ structure. The kernel fails to properly bounds-check user-supplied
+ data before copying it to an insufficiently sized memory
+ buffer. Attackers could crash the system, or possibly execute
+ arbitrary machine code.
+
+CVE-2006-1524
+
+ Hugh Dickins discovered an issue in the madvise_remove function wherein
+ file and mmap restrictions are not followed, allowing local users to
+ bypass IPC permissions and replace portions of readonly tmpfs files with
+ zeroes.
+
+CVE-2006-1525
+
+ Alexandra Kossovsky reported a NULL pointer dereference condition in
+ ip_route_input() that can be triggered by a local user by requesting
+ a route for a multicast IP address, resulting in a denial of service
+ (panic).
+
+CVE-2006-1857
+
+ Vlad Yasevich reported a data validation issue in the SCTP subsystem
+ that may allow a remote user to overflow a buffer using a badly formatted
+ HB-ACK chunk, resulting in a denial of service.
+
+CVE-2006-1858
+
+ Vlad Yasevich reported a bug in the bounds checking code in the SCTP
+ subsystem that may allow a remote attacker to trigger a denial of service
+ attack when rounded parameter lengths are used to calculate parameter
+ lengths instead of the actual values.
+
+CVE-2006-1864
+
+ Mark Mosely discovered that chroots residing on an SMB share can be
+ escaped with specially crafted "cd" sequences.
+
+CVE-2006-2271
+
+ The "Mu security team" discovered that carefully crafted ECNE chunks can
+ cause a kernel crash by accessing incorrect state stable entries in the
+ SCTP networking subsystem, which allows denial of service.
+
+CVE-2006-2272
+
+ The "Mu security team" discovered that fragmented SCTP control chunks can
+ trigger kernel panics, which allows denial of service.
+
+CVE-2006-2274
+
+ It was discovered that SCTP packets with two initial bundled data packets
+ can lead to infinite recursion, which allows denial of service.
+
+
+
+The following matrix explains which kernel version for which architecture
+fix the problems mentioned above:
+
+ Debian 3.1 (sarge)
+ Source 2.4.27-10sarge3
+ Alpha architecture 2.4.27-10sarge3
+ ARM architecture 2.4.27-2sarge3
+ Intel IA-32 architecture 2.4.27-10sarge3
+ Intel IA-64 architecture 2.4.27-10sarge3
+ Motorola 680x0 architecture 2.4.27-3sarge3
+ Big endian MIPS 2.4.27-10.sarge3.040815-1
+ Little endian MIPS 2.4.27-10.sarge3.040815-1
+ PowerPC architecture 2.4.27-10sarge3
+ IBM S/390 architecture 2.4.27-2sarge3
+ Sun Sparc architecture 2.4.27-9sarge3
+
+We recommend that you upgrade your kernel package immediately and reboot
+the machine. If you have built a custom kernel from the kernel source
+package, you will need to rebuild to take advantage of these fixes.
+
+Upgrade Instructions
+--------------------
+
+wget url
+ will fetch the file for you
+dpkg -i file.deb
+ will install the referenced file.
+
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
+
+apt-get update
+ will update the internal database
+apt-get upgrade
+ will install corrected packages
+
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
+
+
+Debian GNU/Linux 3.1 alias sarge
+--------------------------------
+
+
+ These files will probably be moved into the stable distribution on
+ its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ stable/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
+Mailing list: debian-security-announce at lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Modified: patch-tracking/dsa-texts/2.6.8-sarge3
==============================================================================
--- patch-tracking/dsa-texts/2.6.8-sarge3 (original)
+++ patch-tracking/dsa-texts/2.6.8-sarge3 Sat Jun 10 06:16:06 2006
@@ -14,8 +14,8 @@
CVE-2006-0554 CVE-2006-0555 CVE-2006-0557 CVE-2006-0558
CVE-2006-0741 CVE-2006-0742 CVE-2006-0744 CVE-2006-1056
CVE-2006-1242 CVE-2006-1368 CVE-2006-1523 CVE-2006-1524
- CVE-2006-1525 CVE-2006-1863 CVE-2006-1864 CVE-2006-1857
- CVE-2006-1858 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274
+ CVE-2006-1525 CVE-2006-1857 CVE-2006-1858 CVE-2006-1863
+ CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274
Debian Bug :
Several local and remote vulnerabilities have been discovered in the Linux
@@ -62,8 +62,8 @@
CVE-2006-0557
- It was discovered that the code to configure memory policies allows tricking
- the kernel into a crash, thus allowing denial of service.
+ It was discovered that the code to configure memory policies allows
+ tricking the kernel into a crash, thus allowing denial of service.
CVE-2006-0558
@@ -124,23 +124,38 @@
CVE-2006-1523
- foo
+ Oleg Nesterov reported an unsafe BUG_ON call in signal.c which was
+ introduced by RCU signal handling. The BUG_ON code is protected by
+ siglock while the code in switch_exit_pids() uses tasklist_lock. It
+ may be possible for local users to exploit this to initiate a denial
+ of service attack (DoS).
CVE-2006-1524
- foo
+ Hugh Dickins discovered an issue in the madvise_remove function wherein
+ file and mmap restrictions are not followed, allowing local users to
+ bypass IPC permissions and replace portions of readonly tmpfs files with
+ zeroes.
CVE-2006-1525
- foo
+ Alexandra Kossovsky reported a NULL pointer dereference condition in
+ ip_route_input() that can be triggered by a local user by requesting
+ a route for a multicast IP address, resulting in a denial of service
+ (panic).
CVE-2006-1857
- foo
+ Vlad Yasevich reported a data validation issue in the SCTP subsystem
+ that may allow a remote user to overflow a buffer using a badly formatted
+ HB-ACK chunk, resulting in a denial of service.
CVE-2006-1858
- foo
+ Vlad Yasevich reported a bug in the bounds checking code in the SCTP
+ subsystem that may allow a remote attacker to trigger a denial of service
+ attack when rounded parameter lengths are used to calculate parameter
+ lengths instead of the actual values.
CVE-2006-1863
More information about the Kernel-svn-changes
mailing list