From 6dff562cdcf642c149f96089ce1606eed7bf9087 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Sun, 16 Aug 2009 15:52:07 +0000 Subject: new text git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1459 e094ebfe-e918-0410-adfb-c712417f3574 --- dsa-texts/2.6.18.dfsg.1-24etch3 | 102 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 dsa-texts/2.6.18.dfsg.1-24etch3 (limited to 'dsa-texts/2.6.18.dfsg.1-24etch3') diff --git a/dsa-texts/2.6.18.dfsg.1-24etch3 b/dsa-texts/2.6.18.dfsg.1-24etch3 new file mode 100644 index 00000000..41f42179 --- /dev/null +++ b/dsa-texts/2.6.18.dfsg.1-24etch3 @@ -0,0 +1,102 @@ +---------------------------------------------------------------------- +Debian Security Advisory DSA-XXXX-1 security@debian.org +http://www.debian.org/security/ dann frazier +Aug 16, 2009 http://www.debian.org/security/faq +---------------------------------------------------------------------- + +Package : linux-2.6 +Vulnerability : denial of service/privilege escalation +Problem type : local/remote +Debian-specific: no +CVE Id(s) : CVE-2009-1385 CVE-2009-1389 CVE-2009-1630 CVE-2009-1633 + CVE-2009-2692 + +Several vulnerabilities have been discovered in the Linux kernel that +may lead to denial of service or privilege escalation. The Common +Vulnerabilities and Exposures project identifies the following problems: + +CVE-2009-1385 + + Neil Horman discovered a missing fix from the e1000 network driver. + A remote user may cause a denial of service by way of a kernel panic + triggered by specially crafted frame sizes. + +CVE-2009-1389 + + Michael Tokarev discovered an issue in the r8169 network driver. + Remote users on the same LAN may cause a denial of service by way + of a kernel panic triggered by receiving a large size frame. + +CVE-2009-1630 + + Frank Filz discovered that local users may be able to execute + files without execute permission when accessed via an nfs4 mount. + +CVE-2009-1633 + + Jeff Layton and Suresh Jayaraman fixed several buffer overflows in + the CIFS filesystem which allow remote servers to cause memory + corruption. + +CVE-2009-2692 + + Tavis Ormandy and Julien Tinnes discovered an issue with how the + sendpage function is initialized in the proto_ops structure. + Local users can exploit this vulnerability to gain elevated + privileges. + +For the oldstable distribution (etch), this problem has been fixed in +version 2.6.18.dfsg.1-24etch3. + +We recommend that you upgrade your linux-2.6, fai-kernels, and +user-mode-linux packages. + +Note: Debian carefully tracks all known security issues across every +linux kernel package in all releases under active security support. +However, given the high frequency at which low-severity security +issues are discovered in the kernel and the resource requirements of +doing an update, updates for lower priority issues will normally not +be released for all kernels at the same time. Rather, they will be +released in a staggered or "leap-frog" fashion. + +Upgrade instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +The following matrix lists additional source packages that were rebuilt for +compatability with or to take advantage of this update: + + Debian 4.0 (etch) + fai-kernels 1.17+etch.24etch3 + user-mode-linux 2.6.18-1um-2etch.24etch3 + +You may use an automated update by adding the resources from the +footer to the proper configuration. + +Debian GNU/Linux 4.0 alias etch +------------------------------- + +Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. + +Source archives: + + These changes will probably be included in the oldstable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ oldstable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/oldstable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show ' and http://packages.debian.org/ -- cgit v1.2.3