diff options
author | dann frazier <dannf@debian.org> | 2006-08-17 00:30:54 +0000 |
---|---|---|
committer | dann frazier <dannf@debian.org> | 2006-08-17 00:30:54 +0000 |
commit | 83af1b5d5c8f7e018a003469f86f711158deb252 (patch) | |
tree | 1f0a82c943f1f2d1b8ac70f1c56631591208ac23 /dsa-texts | |
parent | 8a0c0175a017301b997cfa0a8fc67b2f0888cf4c (diff) |
while i'm reorganizing, might as well move the scripts & dsa-texts
out of the active issues directory
ok - should be done for now - let me know if you'd prefer a different
organization
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@551 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'dsa-texts')
-rw-r--r-- | dsa-texts/2.4.27-sarge2 | 177 | ||||
-rw-r--r-- | dsa-texts/2.4.27-sarge3 | 200 | ||||
-rw-r--r-- | dsa-texts/2.6.8-sarge2 | 251 | ||||
-rw-r--r-- | dsa-texts/2.6.8-sarge3 | 246 | ||||
-rw-r--r-- | dsa-texts/2.6.8-sarge5 | 79 | ||||
-rw-r--r-- | dsa-texts/dsa-XXXX-1.kernel-source-2.4.18 | 212 |
6 files changed, 1165 insertions, 0 deletions
diff --git a/dsa-texts/2.4.27-sarge2 b/dsa-texts/2.4.27-sarge2 new file mode 100644 index 00000000..260f350f --- /dev/null +++ b/dsa-texts/2.4.27-sarge2 @@ -0,0 +1,177 @@ +Subject: New Linux kernel 2.4.27 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Simon Horman +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.4.27 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE IDs : CVE-2004-0887 CVE-2004-1058 CVE-2004-2607 CVE-2005-0449 CVE-2005-1761 CVE-2005-2457 CVE-2005-2555 CVE-2005-2709 CVE-2005-2973 CVE-2005-3257 CVE-2005-3783 CVE-2005-3806 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4618 +Debian Bug : + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2004-0887 + + Martin Schwidefsky discovered that the privileged instruction SACF (Set + Address Space Control Fast) on the S/390 platform is not handled properly, + allowing for a local user to gain root privileges. + +CVE-2004-1058 + + A race condition allows for a local user to read the environment variables + of another process that is still spawning through /proc/.../cmdline. + +CVE-2004-2607 + + A numeric casting discrepancy in sdla_xfer allows local users to read + portions of kernel memory via a large len argument which is received as an + int but cast to a short, preventing read loop from filling a buffer. + +CVE-2005-0449 + + An error in the skb_checksum_help() function from the netfilter framework + has been discovered that allows the bypass of packet filter rules or + a denial of service attack. + +CVE-2005-1761 + + A vulnerability in the ptrace subsystem of the IA-64 architecture can + allow local attackers to overwrite kernel memory and crash the kernel. + +CVE-2005-2457 + + Tim Yamin discovered that insufficient input validation in the compressed + ISO file system (zisofs) allows a denial of service attack through + maliciously crafted ISO images. + +CVE-2005-2555 + + Herbert Xu discovered that the setsockopt() function was not restricted to + users/processes with the CAP_NET_ADMIN capability. This allows attackers to + manipulate IPSEC policies or initiate a denial of service attack. + +CVE-2005-2709 + + Al Viro discovered a race condition in the /proc handling of network devices. + A (local) attacker could exploit the stale reference after interface shutdown + to cause a denial of service or possibly execute code in kernel mode. + +CVE-2005-2973 + + Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code + can be forced into an endless loop, which allows a denial of service attack. + +CVE-2005-3257 + + Rudolf Polzer discovered that the kernel improperly restricts access to the + KDSKBSENT ioctl, which can possibly lead to privilege escalation. + +CVE-2005-3783 + + The ptrace code using CLONE_THREAD didn't use the thread group ID to + determine whether the caller is attaching to itself, which allows a denial + of service attack. + +CVE-2005-3806 + + Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, + which could lead to memory corruption and denial of service. + +CVE-2005-3848 + + Ollie Wild discovered a memory leak in the icmp_push_reply() function, which + allows denial of service through memory consumption. + +CVE-2005-3857 + + Chris Wright discovered that excessive allocation of broken file lock leases + in the VFS layer can exhaust memory and fill up the system logging, which allows + denial of service. + +CVE-2005-3858 + + Patrick McHardy discovered a memory leak in the ip6_input_finish() function from + the IPv6 code, which allows denial of service. + +CVE-2005-4618 + + Yi Ying discovered that sysctl does not properly enforce the size of a + buffer, which allows a denial of service attack. + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.4.27-10sarge2 + Alpha architecture 2.4.27-10sarge2 + ARM architecture 2.4.27-2sarge2 + Intel IA-32 architecture 2.4.27-10sarge2 + Intel IA-64 architecture 2.4.27-10sarge2 + Motorola 680x0 architecture 2.4.27-3sarge2 + Big endian MIPS architecture 2.4.27-10.sarge1.040815-2 + Little endian MIPS architecture 2.4.27-10.sarge1.040815-2 + PowerPC architecture 2.4.27-10sarge2 + IBM S/390 architecture 2.4.27-2sarge2 + Sun Sparc architecture 2.4.27-9sarge2 + +The following matrix lists additional packages that were rebuilt for +compatability with or to take advantage of this update: + + Debian 3.1 (sarge) + kernel-latest-2.4-alpha 101sarge1 + kernel-latest-2.4-i386 101sarge1 + kernel-latest-2.4-s390 2.4.27-1sarge1 + kernel-latest-2.4-sparc 42sarge1 + kernel-latest-powerpc 102sarge1 + fai-kernels 1.9.1sarge1 + i2c 1:2.9.1-1sarge1 + kernel-image-speakup-i386 2.4.27-1.1sasrge1 + lm-sensors 1:2.9.1-1sarge3 + mindi-kernel 2.4.27-2sarge1 + pcmcia-modules-2.4.27-i386 3.2.5+2sarge1 + systemimager 3.2.3-6sarge1 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/dsa-texts/2.4.27-sarge3 b/dsa-texts/2.4.27-sarge3 new file mode 100644 index 00000000..4be83011 --- /dev/null +++ b/dsa-texts/2.4.27-sarge3 @@ -0,0 +1,200 @@ +Subject: New Linux kernel 2.4.27 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Troy Heber +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.4.27 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2006-0038 CVE-2006-0039 CVE-2006-0741 CVE-2006-0742 + CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-1368 + CVE-2006-1524 CVE-2006-1525 CVE-2006-1857 CVE-2006-1858 + CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 +Debian Bug : + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2006-0038 + + "Solar Designer" discovered that arithmetic computations in netfilter's + do_replace() function can lead to a buffer overflow and the execution of + arbitrary code. However, the operation requires CAP_NET_ADMIN privileges, + which is only an issue in virtualization systems or fine grained access + control systems. + +CVE-2006-0039 + + "Solar Designer" discovered a race condition in netfilter's + do_add_counters() function, which allows information disclosure of + kernel memory by exploiting a race condition. Like CVE-2006-0038, + it requires CAP_NET_ADMIN privileges. + +CVE-2006-0741 + + Intel EM64T systems were discovered to be susceptible to a local + DoS due to an endless recursive fault related to a bad ELF entry + address. + +CVE-2006-0742 + + Alan and Gareth discovered that the ia64 platform had an + incorrectly declared die_if_kernel() function as "does never + return" which could be exploited by a local attacker resulting in + a kernel crash. + +CVE-2006-1056 + + AMD64 machines (and other 7th and 8th generation AuthenticAMD + processors) were found to be vulnerable to sensitive information + leakage, due to how they handle saving and restoring the FOP, FIP, + and FDP x87 registers in FXSAVE/FXRSTOR when an exception is + pending. This allows a process to determine portions of the state + of floating point instructions of other processes. + +CVE-2006-1242 + + Marco Ivaldi discovered that there was an unintended information + disclosure allowing remote attackers to bypass protections against + Idle Scans (nmap -sI) by abusing the ID field of IP packets and + bypassing the zero IP ID in DF packet countermeasure. This was a + result of the ip_push_pending_frames function improperly + incremented the IP ID field when sending a RST after receiving + unsolicited TCP SYN-ACK packets. + +CVE-2006-1343 + + Pavel Kankovsky reported the existance of a potential information leak + resulting from the failure to initialize sin.sin_zero in the IPv4 socket + code. + +CVE-2006-1368 + + Shaun Tancheff discovered a buffer overflow (boundry condition + error) in the USB Gadget RNDIS implementation allowing remote + attackers to cause a DoS. While creating a reply message, the + driver allocated memory for the reply data, but not for the reply + structure. The kernel fails to properly bounds-check user-supplied + data before copying it to an insufficiently sized memory + buffer. Attackers could crash the system, or possibly execute + arbitrary machine code. + +CVE-2006-1524 + + Hugh Dickins discovered an issue in the madvise_remove function wherein + file and mmap restrictions are not followed, allowing local users to + bypass IPC permissions and replace portions of readonly tmpfs files with + zeroes. + +CVE-2006-1525 + + Alexandra Kossovsky reported a NULL pointer dereference condition in + ip_route_input() that can be triggered by a local user by requesting + a route for a multicast IP address, resulting in a denial of service + (panic). + +CVE-2006-1857 + + Vlad Yasevich reported a data validation issue in the SCTP subsystem + that may allow a remote user to overflow a buffer using a badly formatted + HB-ACK chunk, resulting in a denial of service. + +CVE-2006-1858 + + Vlad Yasevich reported a bug in the bounds checking code in the SCTP + subsystem that may allow a remote attacker to trigger a denial of service + attack when rounded parameter lengths are used to calculate parameter + lengths instead of the actual values. + +CVE-2006-1864 + + Mark Mosely discovered that chroots residing on an SMB share can be + escaped with specially crafted "cd" sequences. + +CVE-2006-2271 + + The "Mu security team" discovered that carefully crafted ECNE chunks can + cause a kernel crash by accessing incorrect state stable entries in the + SCTP networking subsystem, which allows denial of service. + +CVE-2006-2272 + + The "Mu security team" discovered that fragmented SCTP control + chunks can trigger kernel panics, which allows for denial of + service attacks. + +CVE-2006-2274 + + It was discovered that SCTP packets with two initial bundled data + packets can lead to infinite recursion, which allows for denial of + service attacks. + + + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.4.27-10sarge3 + Alpha architecture 2.4.27-10sarge3 + ARM architecture 2.4.27-2sarge3 + Intel IA-32 architecture 2.4.27-10sarge3 + Intel IA-64 architecture 2.4.27-10sarge3 + Motorola 680x0 architecture 2.4.27-3sarge3 + Big endian MIPS 2.4.27-10.sarge3.040815-1 + Little endian MIPS 2.4.27-10.sarge3.040815-1 + PowerPC architecture 2.4.27-10sarge3 + IBM S/390 architecture 2.4.27-2sarge3 + Sun Sparc architecture 2.4.27-9sarge3 + +The following matrix lists additional packages that were rebuilt for +compatibility with or to take advantage of this update: + + Debian 3.1 (sarge) + fai-kernels 1.9.1sarge2 + kernel-image-2.4.27-speakup 2.4.27-1.1sarge2 + mindi-kernel 2.4.27-2sarge2 + systemimager 3.2.3-6sarge2 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/dsa-texts/2.6.8-sarge2 b/dsa-texts/2.6.8-sarge2 new file mode 100644 index 00000000..353c3eee --- /dev/null +++ b/dsa-texts/2.6.8-sarge2 @@ -0,0 +1,251 @@ +Subject: New Linux kernel 2.6.8 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Simon Horman +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.6.8 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2004-1017 CVE-2005-0124 CVE-2005-0449 CVE-2005-2457 CVE-2005-2490 CVE-2005-2555 CVE-2005-2709 CVE-2005-2800 CVE-2005-2973 CVE-2005-3044 CVE-2005-3053 CVE-2005-3055 CVE-2005-3180 CVE-2005-3181 CVE-2005-3257 CVE-2005-3356 CVE-2005-3358 CVE-2005-3783 CVE-2005-3784 CVE-2005-3806 CVE-2005-3847 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4605 CVE-2005-4618 CVE-2006-0095 CVE-2006-0096 CVE-2006-0482 CVE-2006-1066 +Debian Bug : 295949 334113 330287 332587 332596 330343 330353 327416 + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2004-1017 + + Multiple overflows exist in the io_edgeport driver which might be usable + as a denial of service attack vector. + +CVE-2005-0124 + + Bryan Fulton reported a bounds checking bug in the coda_pioctl function + which may allow local users to execute arbitrary code or trigger a denial + of service attack. + +CVE-2005-0449 + + An error in the skb_checksum_help() function from the netfilter framework + has been discovered that allows the bypass of packet filter rules or + a denial of service attack. + +CVE-2005-2457 + + Tim Yamin discovered that insufficient input validation in the zisofs driver + for compressed ISO file systems allows a denial of service attack through + maliciously crafted ISO images. + +CVE-2005-2490 + + A buffer overflow in the sendmsg() function allows local users to execute + arbitrary code. + +CVE-2005-2555 + + Herbert Xu discovered that the setsockopt() function was not restricted to + users/processes with the CAP_NET_ADMIN capability. This allows attackers to + manipulate IPSEC policies or initiate a denial of service attack. + +CVE-2005-2709 + + Al Viro discovered a race condition in the /proc handling of network devices. + A (local) attacker could exploit the stale reference after interface shutdown + to cause a denial of service or possibly execute code in kernel mode. + +CVE-2005-2800 + + Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices + leak memory, which allows a denial of service attack. + +CVE-2005-2973 + + Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code + can be forced into an endless loop, which allows a denial of service attack. + +CVE-2005-3044 + + Vasiliy Averin discovered that the reference counters from sockfd_put() and + fput() can be forced into overlapping, which allows a denial of service attack + through a null pointer dereference. + +CVE-2005-3053 + + Eric Dumazet discovered that the set_mempolicy() system call accepts a negative + value for it's first argument, which triggers a BUG() assert. This allows a + denial of service attack. + +CVE-2005-3055 + + Harald Welte discovered that if a process issues a USB Request Block (URB) + to a device and terminates before the URB completes, a stale pointer + would be dereferenced. This could be used to trigger a denial of service + attack. + +CVE-2005-3180 + + Pavel Roskin discovered that the driver for Orinoco wireless cards clears + it's buffers insufficiently. This could leak sensitive information into + user space. + +CVE-2005-3181 + + Robert Derr discovered that the audit subsystem uses an incorrect function to + free memory, which allows a denial of service attack. + +CVE-2005-3257 + + Rudolf Polzer discovered that the kernel improperly restricts access to the + KDSKBSENT ioctl, which can possibly lead to privilege escalation. + +CVE-2005-3356 + + Doug Chapman discovered that the mq_open syscall can be tricked into + decrementing an internal counter twice, which allows a denial of service attack + through a kernel panic. + +CVE-2005-3358 + + Doug Chapman discovered that passing a 0 zero bitmask to the set_mempolicy() + system call leads to a kernel panic, which allows a denial of service attack. + +CVE-2005-3783 + + The ptrace code using CLONE_THREAD didn't use the thread group ID to + determine whether the caller is attaching to itself, which allows a denial + of service attack. + +CVE-2005-3784 + + The auto-reaping of childe processes functionality included ptraced-attached + processes, which allows denial of service through dangling references. + +CVE-2005-3806 + + Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, + which could lead to memory corruption and denial of service. + +CVE-2005-3847 + + It was discovered that a threaded real-time process, which is currently dumping + core can be forced into a dead-lock situation by sending it a SIGKILL signal, + which allows a denial of service attack. + +CVE-2005-3848 + + Ollie Wild discovered a memory leak in the icmp_push_reply() function, which + allows denial of service through memory consumption. + +CVE-2005-3857 + + Chris Wright discovered that excessive allocation of broken file lock leases + in the VFS layer can exhaust memory and fill up the system logging, which allows + denial of service. + +CVE-2005-3858 + + Patrick McHardy discovered a memory leak in the ip6_input_finish() function from + the IPv6 code, which allows denial of service. + +CVE-2005-4605 + + Karl Janmar discovered that a signedness error in the procfs code can be exploited + to read kernel memory, which may disclose sensitive information. + +CVE-2005-4618 + + Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which + allows a denial of service attack. + +CVE-2006-0095 + + Stefan Rompf discovered that dm_crypt does not clear an internal struct before freeing + it, which might disclose sensitive information. + +CVE-2006-0096 + + It was discovered that the SDLA driver's capability checks were too lax + for firmware upgrades. + +CVE-2006-0482 + + Ludovic Courtes discovered that get_compat_timespec() performs insufficient input + sanitizing, which allows a local denial of service attack. + +CVE-2006-1066 + + It was discovered that ptrace() on the ia64 architecture allows a local denial of + service attack, when preemption is enabled. + + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.6.8-16sarge2 + Alpha architecture 2.6.8-16sarge2 + AMD64 architecture 2.6.8-16sarge2 + HP Precision architecture 2.6.8-6sarge2 + Intel IA-32 architecture 2.6.8-16sarge2 + Intel IA-64 architecture 2.6.8-14sarge2 + Motorola 680x0 architecture 2.6.8-4sarge2 + PowerPC architecture 2.6.8-12sarge2 + IBM S/390 architecture 2.6.8-5sarge2 + Sun Sparc architecture 2.6.8-15sarge2 + +The following matrix lists additional packages that were rebuilt for +compatability with or to take advantage of this update: + + Debian 3.1 (sarge) + kernel-latest-2.6-alpha 101sarge1 + kernel-latest-2.6-amd64 103sarge1 + kernel-latest-2.6-hppa 2.6.8-1sarge1 + kernel-latest-2.6-sparc 101sarge1 + kernel-latest-2.6-i386 101sarge1 + kernel-latest-powerpc 102sarge1 + fai-kernels 1.9.1sarge1 + hostap-modules-i386 0.3.7-1sarge1 + mol-modules-2.6.8 0.9.70+2.6.8+12sarge1 + ndiswrapper-modules-i386 1.1-2sarge1 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/dsa-texts/2.6.8-sarge3 b/dsa-texts/2.6.8-sarge3 new file mode 100644 index 00000000..2803df24 --- /dev/null +++ b/dsa-texts/2.6.8-sarge3 @@ -0,0 +1,246 @@ +Subject: New Linux kernel 2.6.8 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Troy Heber +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.6.8 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2005-3359 CVE-2006-0038 CVE-2006-0039 CVE-2006-0456 + CVE-2006-0554 CVE-2006-0555 CVE-2006-0557 CVE-2006-0558 + CVE-2006-0741 CVE-2006-0742 CVE-2006-0744 CVE-2006-1056 + CVE-2006-1242 CVE-2006-1368 CVE-2006-1523 CVE-2006-1524 + CVE-2006-1525 CVE-2006-1857 CVE-2006-1858 CVE-2006-1863 + CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 +Debian Bug : + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2005-3359 + + Franz Filz discovered that some socket calls permit causing inconsistent + reference counts on loadable modules, which allows local users to cause + a denial of service. + +CVE-2006-0038 + + "Solar Designer" discovered that arithmetic computations in netfilter's + do_replace() function can lead to a buffer overflow and the execution of + arbitrary code. However, the operation requires CAP_NET_ADMIN privileges, + which is only an issue in virtualization systems or fine grained access + control systems. + +CVE-2006-0039 + + "Solar Designer" discovered a race condition in netfilter's + do_add_counters() function, which allows information disclosure of kernel + memory by exploiting a race condition. Likewise, it requires CAP_NET_ADMIN + privileges. + +CVE-2006-0456 + + David Howells discovered that the s390 assembly version of the + strnlen_user() function incorrectly returns some string size values. + +CVE-2006-0554 + + It was discovered that the ftruncate() function of XFS can expose + unallocated, which allows information disclosure of previously deleted + files. + +CVE-2006-0555 + + It was discovered that some NFS file operations on handles mounted with + O_DIRECT can force the kernel into a crash. + +CVE-2006-0557 + + It was discovered that the code to configure memory policies allows + tricking the kernel into a crash, thus allowing denial of service. + +CVE-2006-0558 + + It was discovered by Cliff Wickman that perfmon for the IA64 + architecture allows users to trigger a BUG() assert, which allows + denial of service. + +CVE-2006-0741 + + Intel EM64T systems were discovered to be susceptible to a local + DoS due to an endless recursive fault related to a bad elf entry + address. + +CVE-2006-0742 + + Alan and Gareth discovered that the ia64 platform had an + incorrectly declared die_if_kernel() function as "does never + return" which could be exploited by a local attacker resulting in + a kernel crash. + +CVE-2006-0744 + + The Linux kernel did not properly handle uncanonical return + addresses on Intel EM64T CPUs, reporting exceptions in the SYSRET + instead of the next instruction, causing the kernel exception + handler to run on the user stack with the wrong GS. This may result + in a DoS due to a local user changing the frames. + +CVE-2006-1056 + + AMD64 machines (and other 7th and 8th generation AuthenticAMD + processors) were found to be vulnerable to sensitive information + leakage, due to how they handle saving and restoring the FOP, FIP, + and FDP x87 registers in FXSAVE/FXRSTOR when an exception is + pending. This allows a process to determine portions of the state + of floating point instructions of other processes. + +CVE-2006-1242 + + Marco Ivaldi discovered that there was an unintended information + disclosure allowing remote attackers to bypass protections against + Idle Scans (nmap -sI) by abusing the ID field of IP packets and + bypassing the zero IP ID in DF packet countermeasure. This was a + result of the ip_push_pending_frames function improperly + incremented the IP ID field when sending a RST after receiving + unsolicited TCP SYN-ACK packets. + +CVE-2006-1368 + + Shaun Tancheff discovered a buffer overflow (boundry condition + error) in the USB Gadget RNDIS implementation allowing remote + attackers to cause a DoS. While creating a reply message, the + driver allocated memory for the reply data, but not for the reply + structure. The kernel fails to properly bounds-check user-supplied + data before copying it to an insufficiently sized memory + buffer. Attackers could crash the system, or possibly execute + arbitrary machine code. + +CVE-2006-1523 + + Oleg Nesterov reported an unsafe BUG_ON call in signal.c which was + introduced by RCU signal handling. The BUG_ON code is protected by + siglock while the code in switch_exit_pids() uses tasklist_lock. It + may be possible for local users to exploit this to initiate a denial + of service attack (DoS). + +CVE-2006-1524 + + Hugh Dickins discovered an issue in the madvise_remove function wherein + file and mmap restrictions are not followed, allowing local users to + bypass IPC permissions and replace portions of readonly tmpfs files with + zeroes. + +CVE-2006-1525 + + Alexandra Kossovsky reported a NULL pointer dereference condition in + ip_route_input() that can be triggered by a local user by requesting + a route for a multicast IP address, resulting in a denial of service + (panic). + +CVE-2006-1857 + + Vlad Yasevich reported a data validation issue in the SCTP subsystem + that may allow a remote user to overflow a buffer using a badly formatted + HB-ACK chunk, resulting in a denial of service. + +CVE-2006-1858 + + Vlad Yasevich reported a bug in the bounds checking code in the SCTP + subsystem that may allow a remote attacker to trigger a denial of service + attack when rounded parameter lengths are used to calculate parameter + lengths instead of the actual values. + +CVE-2006-1863 + + Mark Mosely discovered that chroots residing on an CIFS share can be + escaped with specially crafted "cd" sequences. + +CVE-2006-1864 + + Mark Mosely discovered that chroots residing on an SMB share can be + escaped with specially crafted "cd" sequences. + +CVE-2006-2271 + + The "Mu security team" discovered that carefully crafted ECNE chunks can + cause a kernel crash by accessing incorrect state stable entries in the + SCTP networking subsystem, which allows denial of service. + +CVE-2006-2272 + + The "Mu security team" discovered that fragmented SCTP control + chunks can trigger kernel panics, which allows for denial of + service attacks. + +CVE-2006-2274 + + It was discovered that SCTP packets with two initial bundled data + packets can lead to infinite recursion, which allows for denial of + service attacks. + + + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.6.8-16sarge3 + Alpha architecture 2.6.8-16sarge3 + AMD64 architecture 2.6.8-16sarge3 + HP Precision architecture 2.6.8-6sarge3 + Intel IA-32 architecture 2.6.8-16sarge3 + Intel IA-64 architecture 2.6.8-14sarge3 + Motorola 680x0 architecture 2.6.8-4sarge3 + PowerPC architecture 2.6.8-12sarge3 + IBM S/390 architecture 2.6.8-5sarge3 + Sun Sparc architecture 2.6.8-15sarge3 + +The following matrix lists additional packages that were rebuilt for +compatibility with or to take advantage of this update: + + Debian 3.1 (sarge) + fai-kernels 1.9.1sarge2 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/dsa-texts/2.6.8-sarge5 b/dsa-texts/2.6.8-sarge5 new file mode 100644 index 00000000..fe7b04be --- /dev/null +++ b/dsa-texts/2.6.8-sarge5 @@ -0,0 +1,79 @@ +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Troy Heber +XXXXX 8th, 2006 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.6.8 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2006-3468 + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2006-3468 + + James McKenzie discovered a vulnerability in the NFS subsystem, allowing + remote denial of service if an ext3 filesystem is exported. + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.6.8-16sarge5 + Alpha architecture 2.6.8-16sarge5 + AMD64 architecture 2.6.8-16sarge5 + HP Precision architecture 2.6.8-6sarge5 + Intel IA-32 architecture 2.6.8-16sarge5 + Intel IA-64 architecture 2.6.8-14sarge5 + Motorola 680x0 architecture 2.6.8-4sarge5 + PowerPC architecture 2.6.8-12sarge5 + IBM S/390 architecture 2.6.8-5sarge5 + Sun Sparc architecture 2.6.8-15sarge5 + +The following matrix lists additional packages that were rebuilt for +compatibility with or to take advantage of this update: + + Debian 3.1 (sarge) + fai-kernels 1.9.1sarge4 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/dsa-texts/dsa-XXXX-1.kernel-source-2.4.18 b/dsa-texts/dsa-XXXX-1.kernel-source-2.4.18 new file mode 100644 index 00000000..a180b08f --- /dev/null +++ b/dsa-texts/dsa-XXXX-1.kernel-source-2.4.18 @@ -0,0 +1,212 @@ +-------------------------------------------------------------------------- +Debian Security Advisory DSA 10XX-1 security@debian.org +http://www.debian.org/security/ Martin Schulze, Dann Frazier +May 20th, 2006 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.4.18,kernel-image-2.4.18-1-alpha,kernel-image-2.4.18-1-i386,kernel-image-2.4.18-hppa,kernel-image-2.4.18-powerpc-xfs,kernel-patch-2.4.18-powerpc,kernel-patch-benh +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE IDs : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685 CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135 + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + + + CVE-2004-0427 + + A local denial of service vulnerability in do_fork() has been found. + + CVE-2005-0489 + + A local denial of service vulnerability in proc memory handling has + been found. + + CVE-2004-0394 + + A buffer overflow in the panic handling code has been found. + + CVE-2004-0447 + + A local denial of service vulnerability through a null pointer + dereference in the IA64 process handling code has been found. + + CVE-2004-0554 + + A local denial of service vulnerability through an infinite loop in + the signal handler code has been found. + + CVE-2004-0565 + + An information leak in the context switch code has been found on + the IA64 architecture. + + CVE-2004-0685 + + Unsafe use of copy_to_user in USB drivers may disclose sensitive + information. + + CVE-2005-0001 + + A race condition in the i386 page fault handler may allow privilege + escalation. + + CVE-2004-0883 + + Multiple vulnerabilities in the SMB filesystem code may allow denial + of service of information disclosure. + + CVE-2004-0949 + + An information leak discovered in the SMB filesystem code. + + CVE-2004-1016 + + A local denial of service vulnerability has been found in the SCM layer. + + CVE-2004-1333 + + An integer overflow in the terminal code may allow a local denial of + service vulnerability. + + CVE-2004-0997 + + A local privilege escalation in the MIPS assembly code has been found. + + CVE-2004-1335 + + A memory leak in the ip_options_get() function may lead to denial of + service. + + CVE-2004-1017 + + Multiple overflows exist in the io_edgeport driver which might be usable + as a denial of service attack vector. + + CVE-2005-0124 + + Bryan Fulton reported a bounds checking bug in the coda_pioctl function + which may allow local users to execute arbitrary code or trigger a denial + of service attack. + + CVE-2005-0528 + + A local privilege escalation in the mremap function has been found + + CVE-2003-0984 + + Inproper initialization of the RTC may disclose information. + + CVE-2004-1070 + + Insufficient input sanitising in the load_elf_binary() function may + lead to privilege escalation. + + CVE-2004-1071 + + Incorrect error handling in the binfmt_elf loader may lead to privilege + escalation. + + CVE-2004-1072 + + A buffer overflow in the binfmt_elf loader may lead to privilege + escalation or denial of service. + + CVE-2004-1073 + + The open_exec function may disclose information. + + CVE-2004-1074 + + The binfmt code is vulnerable to denial of service through malformed + a.out binaries. + + CVE-2004-0138 + + A denial of service vulnerability in the ELF loader has been found. + + CVE-2004-1068 + + A programming error in the unix_dgram_recvmsg() function may lead to + privilege escalation. + + CVE-2004-1234 + + The ELF loader is vulnerable to denial of service through malformed + binaries. + + CVE-2005-0003 + + Crafted ELF binaries may lead to privilege escalation, due to + insufficient checking of overlapping memory regions. + + CVE-2004-1235 + + A race condition in the load_elf_library() and binfmt_aout() functions + may allow privilege escalation. + + CVE-2005-0504 + + An integer overflow in the Moxa driver may lead to privilege escalation. + + CVE-2005-0384 + + A remote denial of service vulnerability has been found in the PPP + driver. + + CVE-2005-0135 + + An IA64 specific local denial of service vulnerability has been found + in the unw_unwind_to_user() function. + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.0 (woody) + Source 2.4.18-14.4 + Alpha architecture 2.4.18-15woody1 + Intel IA-32 architecture 2.4.18-13.2 + HP Precision architecture 62.4 + PowerPC architecture 2.4.18-1woody6 + PowerPC architecture/XFS 20020329woody1 + PowerPC architecture/benh 20020304woody1 + Sun Sparc architecture + +We recommend that you upgrade your kernel package immediately and reboot +the machine. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get dist-upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.0 alias woody +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> |