From 1b09f6434ed3cd7f8b96ce9f729adda50cda36ed Mon Sep 17 00:00:00 2001 From: dann frazier Date: Thu, 11 Feb 2010 06:34:51 +0000 Subject: new text git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1722 e094ebfe-e918-0410-adfb-c712417f3574 --- dsa-texts/2.6.26-21lenny3 | 149 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 dsa-texts/2.6.26-21lenny3 (limited to 'dsa-texts/2.6.26-21lenny3') diff --git a/dsa-texts/2.6.26-21lenny3 b/dsa-texts/2.6.26-21lenny3 new file mode 100644 index 00000000..94b2fb17 --- /dev/null +++ b/dsa-texts/2.6.26-21lenny3 @@ -0,0 +1,149 @@ +---------------------------------------------------------------------- +Debian Security Advisory DSA-XXXX-1 security@debian.org +http://www.debian.org/security/ dann frazier +February XX, 2010 http://www.debian.org/security/faq +---------------------------------------------------------------------- + +Package : linux-2.6 +Vulnerability : privilege escalation/denial of service/sensitive memory leak +Problem type : local/remote +Debian-specific: no +CVE Id(s) : CVE-2009-3939 CVE-2009-4027 CVE-2009-4536 CVE-2009-4538 + CVE-2010-0003 CVE-2010-0007 CVE-2010-0291 CVE-2010-0298 + CVE-2010-0306 CVE-2010-0307 CVE-2010-0309 CVE-2010-0410 + CVE-2010-0415 + +Several vulnerabilities have been discovered in the Linux kernel that +may lead to a denial of service, sensitive memory leak or privilege +escalation. The Common Vulnerabilities and Exposures project +identifies the following problems: + +CVE-2009-3939 + + Joseph Malicki reported that the dbg_lvl sysfs attribute for the + megaraid_sas device driver had world-writeable permissions, permitting + local users to modify logging settings. + +CVE-2009-4027 + + Lennert Buytenhek reported a race in the mac80211 subsystem that may allow + remote users to cause a denial of service (system crash) on a system + connected to the same wireless network. + +CVE-2009-4536 +CVE-2009-4538 + + Fabian Yamaguchi reported issues in the e1000 and e1000e drivers for Intel + gigabit network adapters which allow remote users to bypass packet filters + using specially crafted ethernet frames. + +CVE-2010-0003 + + Andi Kleen reported a defect which allows local users to gain read + access to memory reachable by the kernel when the print-fatal-signals + option is enabled. This option is disabled by default. + +CVE-2010-0007 + + Florian Westphal reported a lack of capability checking in the ebtables + netfilter subsystem. If the ebtables module is loaded, local users can + add and modify ebtables rules. + +CVE-2010-0291 + + Al Viro reported several issues with the mmap/mremap system calls that + allow local users to cause a denial of service (system panic) or obtain + elevated privileges. + +CVE-2010-0298 +CVE-2010-0306 + + Gleb Natapov discovered issues in the KVM subsystem where missing + permission checks (CPL/IOPL) permit a user in a guest system to denial + of service a guest (system crash) or gain escalated privileges with + the guest. + +CVE-2010-0307 + + Mathias Krause reported an issue with the load_elf_binary code on + the amd64 flavor kernels that allows local users to cause a denial + of service (system crash). + +CVE-2010-0309 + + Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM + subsystem that allows privileged users in a guest domain to cause a + denial of service (crash) of the host system. + +CVE-2010-0410 + + Sebastian Krahmer discovered an issue in the netlink connector subsystem + that permits local users to allocate large amounts of system memory + resulting in a denial of service (out of memory). + +CVE-2010-0415 + + Ramon de Carvalho Valle discovered an issue in the sys_move_pages + interface, limited to amd64, ia64 and powerpc64 flavors in Debian. + Local users can exploit this issue to cause a denial of service + (system crash) or gain access to sensitive kernel memory. + +For the stable distribution (lenny), this problem has been fixed in +version 2.6.26-21lenny3. + +For the oldstable distribution (etch), these problems, where +applicable, will be fixed in updates to linux-2.6 and linux-2.6.24. + +We recommend that you upgrade your linux-2.6 and user-mode-linux +packages. + +Note: Debian carefully tracks all known security issues across every +linux kernel package in all releases under active security support. +However, given the high frequency at which low-severity security +issues are discovered in the kernel and the resource requirements of +doing an update, updates for lower priority issues will normally not +be released for all kernels at the same time. Rather, they will be +released in a staggered or "leap-frog" fashion. + +The following matrix lists additional source packages that were +rebuilt for compatibility with or to take advantage of this update: + + Debian 5.0 (lenny) + user-mode-linux 2.6.26-1um-2+19lenny3 + +Upgrade instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + +Debian GNU/Linux 5.0 alias lenny +-------------------------------- + +Stable updates are available for XXXX. Updates for other architectures +will be released as they become available. + +Source archives: +[...] + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show ' and http://packages.debian.org/ -- cgit v1.2.3