From a414f10d6187dad06efcf1b5e1acd1c0dae593ee Mon Sep 17 00:00:00 2001 From: dann frazier Date: Thu, 21 Aug 2008 05:56:04 +0000 Subject: new dsa draft git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1204 e094ebfe-e918-0410-adfb-c712417f3574 --- dsa-texts/2.6.18.dfsg.1-22etch2 | 111 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 dsa-texts/2.6.18.dfsg.1-22etch2 (limited to 'dsa-texts/2.6.18.dfsg.1-22etch2') diff --git a/dsa-texts/2.6.18.dfsg.1-22etch2 b/dsa-texts/2.6.18.dfsg.1-22etch2 new file mode 100644 index 00000000..48b1da86 --- /dev/null +++ b/dsa-texts/2.6.18.dfsg.1-22etch2 @@ -0,0 +1,111 @@ +---------------------------------------------------------------------- +Debian Security Advisory DSA-XXXX-1 security@debian.org +http://www.debian.org/security/ dann frazier +Aug 21, 2008 http://www.debian.org/security/faq +---------------------------------------------------------------------- + +Package : linux-2.6 +Vulnerability : denial of service/information leak +Problem type : local/remote +Debian-specific: no +CVE Id(s) : CVE-2007-6282 CVE-2008-0598 CVE-2008-2729 CVE-2008-2812 + CVE-2008-2826 CVE-2008-2931 CVE-2008-3272 CVE-2008-3275 + +Several vulnerabilities have been discovered in the Linux kernel that may +lead to a denial of service or arbitrary code execution. The Common +Vulnerabilities and Exposures project identifies the following +problems: + +CVE-2007-6282 + + Dirk Nehring discovered a vulnerability in the IPsec code that allows + remote users to cause a denial of service by sending a specially crafted + ESP packet. + +CVE-2008-0598 + + Tavis Ormandy discovered a vulnerability that allows local users to access + uninitialized kernel memory, possibly leaking sensitive data. This issue + is specific to the amd64-flavour kernel images. + +CVE-2008-2729 + + Andi Kleen discovered an issue where uninitialized kernel memory + was being leaked to userspace during an exception. This issue may allow + local users to gain access to sensitive data. Only the amd64-flavour + Debian kernel images are affected. + +CVE-2008-2812 + + Alan Cox discovered an issue in multiple tty drivers that allows + local users to trigger a denial of service (NULL pointer dereference) + and possibly obtain elevated privileges. + +CVE-2008-2826 + + Gabriel Campana discovered an integer overflow in the sctp code that + can be exploited by local users to cause a denial of service. + +CVE-2008-2931 + + Miklos Szeredi reported a missing privilege check in the do_change_type() + function. This allows local, unprivileged users to change the properties + of mount points. + +CVE-2008-3272 + + Tobias Klein reported a locally exploitable data leak in the + snd_seq_oss_synth_make_info() function. This may allow local users + to gain access to sensitive information. + +CVE-2008-3275 + + Zoltan Sogor discovered a coding error in the VFS that allows local users + to exploit a kernel memory leak resulting in a denial of service. + +For the stable distribution (etch), this problem has been fixed in +version 2.6.18.dfsg.1-22etch2. + +We recommend that you upgrade your linux-2.6, fai-kernels, and +user-mode-linux packages. + +Upgrade instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +The following matrix lists additional source packages that were rebuilt for +compatability with or to take advantage of this update: + + Debian 4.0 (etch) + fai-kernels 1.17+etch.22etch2 + user-mode-linux 2.6.18-1um-2etch.22etch2 + +You may use an automated update by adding the resources from the +footer to the proper configuration. + +Debian GNU/Linux 4.0 alias etch +------------------------------- + +Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. + + + These changes will probably be included in the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show ' and http://packages.debian.org/ -- cgit v1.2.3