start work on first 2.6.24 DSA

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1220 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 101 insertions, 0 deletions

diff --git a/dsa-texts/2.6.24-6~etchnhalf.5 b/dsa-texts/2.6.24-6~etchnhalf.5
new file mode 100644
index 00000000..f850a8ed
--- /dev/null
+++ b/dsa-texts/2.6.24-6~etchnhalf.5
@@ -0,0 +1,101 @@
+----------------------------------------------------------------------
+Debian Security Advisory DSA-XXXX-1                security@debian.org
+http://www.debian.org/security/                           dann frazier
+Sep 11, 2008                        http://www.debian.org/security/faq
+----------------------------------------------------------------------
+
+Package        : linux-2.6.24
+Vulnerability  : denial of service/information leak
+Problem type   : several
+Debian-specific: no
+CVE Id(s)      : CVE-2008-3272 CVE-2008-3275 CVE-2008-3276 CVE-2008-3526
+                 CVE-2008-3534 CVE-2008-3535 CVE-2008-3792 CVE-2008-3915
+
+Several vulnerabilities have been discovered in the Linux kernel that may
+lead to a denial of service or arbitrary code execution. The Common
+Vulnerabilities and Exposures project identifies the following
+problems:
+
+CVE-2008-3272
+
+    Tobias Klein reported a locally exploitable data leak in the
+    snd_seq_oss_synth_make_info() function. This may allow local users
+    to gain access to sensitive information.
+
+CVE-2008-3275
+
+    Zoltan Sogor discovered a coding error in the VFS that allows local users
+    to exploit a kernel memory leak resulting in a denial of service.
+
+CVE-2008-3276
+
+    Eugene Teo reported an integer overflow in the DCCP subsystem that
+    may allow remote attackers to cause a denial of service in the form
+    of a kernel panic.
+
+CVE-2008-3526
+
+    Eugene Teo reported a missing bounds check in the SCTP subsystem.
+    By exploiting an integer overflow in the SCTP_AUTH_KEY handling code,
+    remote attackers may be able to cause a denial of service in the form
+    of a kernel panic.
+
+CVE-2008-3534
+
+    Kel Modderman reported an issue in the tmpfs filesystem that allows
+    local users to crash a system by triggering a kernel BUG() assertion.
+
+CVE-2008-3535
+
+    Alexey Dobriyan discovered an off-by-one-error in the iov_iter_advance
+    function which can be exploited by local users to crash a system,
+    resulting in a denial of service.
+
+CVE-2008-3792
+
+    Vlad Yasevich reported several NULL pointer reference conditions in
+    the SCTP subsystem that can be triggered by entering sctp-auth codepaths
+    when the AUTH feature is inactive. This may allow attackers to cause
+    a denial of service condition via a system panic.
+
+CVE-2008-3915
+
+    Johann Dahm and David Richter reported and issue in the nfsd subsystem
+    that may allow remote attackers to cause a denial of service via a
+    buffer overflow.
+
+For the stable distribution (etch), this problem has been fixed in
+version 2.6.22-6~etchnhalf.5.
+
+We recommend that you upgrade your linux-2.6.24 packages.
+
+Upgrade instructions
+--------------------
+
+wget url
+        will fetch the file for you
+dpkg -i file.deb
+        will install the referenced file.
+
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
+
+apt-get update
+        will update the internal database
+apt-get upgrade
+        will install corrected packages
+
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
+
+Debian GNU/Linux 4.0 alias etch
+-------------------------------
+
+  These changes will probably be included in the stable distribution on
+  its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ stable/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
+Mailing list: debian-security-announce@lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>