From c2f9707b848ef75c88b71c9966c90bca9785860e Mon Sep 17 00:00:00 2001 From: dann frazier Date: Tue, 23 Feb 2010 00:20:57 +0000 Subject: new text git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1742 e094ebfe-e918-0410-adfb-c712417f3574 --- dsa-texts/2.6.18.dfsg.1-26etch2 | 136 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 dsa-texts/2.6.18.dfsg.1-26etch2 (limited to 'dsa-texts/2.6.18.dfsg.1-26etch2') diff --git a/dsa-texts/2.6.18.dfsg.1-26etch2 b/dsa-texts/2.6.18.dfsg.1-26etch2 new file mode 100644 index 000000000..ae0738f23 --- /dev/null +++ b/dsa-texts/2.6.18.dfsg.1-26etch2 @@ -0,0 +1,136 @@ +---------------------------------------------------------------------- +Debian Security Advisory DSA-XXXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier +February 23, 2010 http://www.debian.org/security/faq +---------------------------------------------------------------------- + +Package : linux-2.6 +Vulnerability : privilege escalation/denial of service +Problem type : local/remote +Debian-specific: no +CVE Id(s) : CVE-2009-3080 CVE-2009-3726 CVE-2009-4005 CVE-2009-4020 + CVE-2009-4021 CVE-2009-4536 CVE-2010-0007 CVE-2010-0410 + CVE-2010-0415 CVE-2010-0622 + +Several vulnerabilities have been discovered in the Linux kernel that +may lead to a denial of service or privilege escalation. The Common +Vulnerabilities and Exposures project identifies the following problems: + +CVE-2009-3080 + + Dave Jones reported an issue in the gdth SCSI driver. A missing + check for negative offsets in ioctl called could be exploited + by local users to create a denial of service or potentially gain + elevated privileges. + +CVE-2009-3726 + + Trond Myklebust reported an issue where a malicious NFS server + could cause a denial of service condition on its clients by + returning incorrect attributes during an open call. + +CVE-2009-4005 + + Roel Kluin discovered an issue in the hfc_usb driver, an ISDN driver + for Colognechip HFC-S USB chip. A potential read overflow exists which + may allow remote users to cause a denial of service condition (oops). + + +CVE-2009-4020 + + Amerigo Wang discovered an issue in the HFS filesystem that would + allow a denial of service by a local user who has sufficient privileges + to mount a specially crafted filesystem. + +CVE-2009-4021 + + Anana V. Avati discovered an issue in the fuse subsystem. If the + system is sufficiently low on memory, a local user can cause the + kernel to dereference an invalid pointer resulting in a denial of + service (oops) and potentially an escalation of privileges. + +CVE-2009-4536 + + Fabian Yamaguchi reported an issue in the e1000 driver for Intel + gigabit network adapters which allow remote users to bypass packet + filters using specially crafted ethernet frames. + +CVE-2010-0007 + + Florian Westphal reported a lack of capability checking in the + ebtables netfilter subsystem. If the ebtables module is loaded, + local users can add and modify ebtables rules. + +CVE-2010-0410 + + Sebastian Krahmer discovered an issue in the netlink connector + subsystem that permits local users to allocate large amounts of + system memory resulting in a denial of service (out of memory). + +CVE-2010-0415 + + Ramon de Carvalho Valle discovered an issue in the sys_move_pages + interface, limited to amd64, ia64 and powerpc64 flavors in Debian. + Local users can exploit this issue to cause a denial of service + (system crash) or gain access to sensitive kernel memory. + +CVE-2010-0622 + + Jermome Marchand reported an issue in the futex subsystem + that allows a local user to force an invalid futex state + which results in a denial of service (oops). + +For the oldstable distribution (etch), this problem has been fixed in +version 2.6.18.dfsg.1-26etch2. + +We recommend that you upgrade your linux-2.6, fai-kernels, and +user-mode-linux packages. + +Note: Debian 'etch' includes linux kernel packages based upon both the +2.6.18 and 2.6.24 linux releases. All known security issues are +carefully tracked against both packages and both packages will receive +security updates until security support for Debian 'etch' +concludes. However, given the high frequency at which low-severity +security issues are discovered in the kernel and the resource +requirements of doing an update, lower severity 2.6.18 and 2.6.24 +updates will typically release in a staggered or "leap-frog" fashion. + +The following matrix lists additional source packages that were rebuilt for +compatability with or to take advantage of this update: + + Debian 4.0 (etch) + fai-kernels 1.17+etch.26etch2 + user-mode-linux 2.6.18-1um-2etch.26etch2 + +Upgrade instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + +Debian GNU/Linux 4.0 alias etch +------------------------------- + +Oldstable updates are available for alpha, [...] + + These changes will probably be included in the oldstable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show ' and http://packages.debian.org/ -- cgit v1.2.3