diff options
author | dann frazier <dannf@debian.org> | 2007-08-31 22:45:48 +0000 |
---|---|---|
committer | dann frazier <dannf@debian.org> | 2007-08-31 22:45:48 +0000 |
commit | b0cfad52b42b08aacb0b12e76266d7980b140cae (patch) | |
tree | 44ce81d679436704ad215120ecce1f33eabd307c /dsa-texts/2.6.18.dfsg.1-13etch2 | |
parent | 3162b0b309658c634dcad59fb61683406b78c7a7 (diff) |
start dsa text for 2.6.18.dfsg.1-13etch2
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@942 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'dsa-texts/2.6.18.dfsg.1-13etch2')
-rw-r--r-- | dsa-texts/2.6.18.dfsg.1-13etch2 | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/dsa-texts/2.6.18.dfsg.1-13etch2 b/dsa-texts/2.6.18.dfsg.1-13etch2 new file mode 100644 index 00000000..a6ff4961 --- /dev/null +++ b/dsa-texts/2.6.18.dfsg.1-13etch2 @@ -0,0 +1,99 @@ +-------------------------------------------------------------------------- +Debian Security Advisory DSA 1356-1 security@debian.org +http://www.debian.org/security/ Dann Frazier +August 31st, 2007 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : linux-2.6 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2007-2172 CVE-2007-2875 CVE-2007-3105 CVE-2007-3843 + CVE-2007-4308 + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2007-2172 + + Thomas Graf reported a typo in the IPV4 protocol handler that could + be used by a local attacker to overrun an array via crafted packets, + potentially resulting in a Denial of Service (system crash). + The DECnet counterpart of this issue was already fixed in DSA-1356. + +CVE-2007-2875 + + iDefense reported a potential integer underflow in the cpuset filesystem + which may permit local attackers to gain access to sensitive kernel + memory. This vulnerability is only exploitable if the cpuset filesystem + is mounted. + +CVE-2007-3105 + + The PaX Team discovered a potential buffer overflow in the random number + generator which may permit local users to cause a denial of service or + gain additional privileges. This issue is not believed to effect default + Debian installations where only root has sufficient privileges to exploit + it. + +CVE-2007-3843 + + A coding error in the CIFS subsystem permits the use of unsigned messages + even if the client has been configured the system to enforce + signing by passing the sec=ntlmv2i mount option. This may allow remote + attackers to spoof CIFS network traffic. + +CVE-2007-4308 + + Alan Cox reported an issue in the aacraid driver that allows unprivileged + local users to make ioctl calls which should be restricted to admin + privileges. + +These problems have been fixed in the stable distribution in version +2.6.18.dfsg.1-13etch2. + +The following matrix lists additional packages that were rebuilt for +compatibility with or to take advantage of this update: + + Debian 4.0 (etch) + fai-kernels 1.17+etch5 + user-mode-linux 2.6.18-1um-2etch4 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 4.0 alias etch +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ etch/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/etch/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> |