summaryrefslogtreecommitdiffstats
path: root/dsa-texts/2.4.27-10sarge4
blob: 90a8176edcdae07173f8ad44f3e6276fccde6b06 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Subject: New Linux kernel 2.4.27 packages fix several issues

--------------------------------------------------------------------------
Debian Security Advisory DSA XXX-1                     security@debian.org
http://www.debian.org/security/                               Dann Frazier
XXXXX 8th, 2005                         http://www.debian.org/security/faq
--------------------------------------------------------------------------

Package        : kernel-source-2.4.27
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE ID         : CVE-2005-4798 CVE-2006-2935 CVE-2006-1528 CVE-2006-2444
                 CVE-2006-2446 CVE-2006-3745 CVE-2006-4535 CVE-2006-4145

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2005-4798

    Assar discovered a buffer overlow in the NFS readlink handling code
    that would allows a malicious remote server to cause a denail of
    service (crash) using a long symlink.

CVE-2006-2935

    Diego Calleja Garcia discovered a potential buffer overflow in the
    dvd_read_bca() function that could allow aribrary code execution via
    a malicious CDROM device

CVE-2006-1528

    Douglas Gilbert reported a bug in the sg driver that allows local
    users to oops the kernel by performing dio transfers from the sg
    driver to memory mapped IO space.

CVE-2006-2444

    Patrick McHardy reported a memory corruption bug in snmp_trap_decode that
    could be used by remote attackers to crash a system.

CVE-2006-2446

    A race between the kfree_skb and __skb_unlink functions allows remote
    users to crash a system.

CVE-2006-3745

    Wei Wang discovered a vulnerability in the SCTP subsystem that can be
    exploited for local privilege escalation.

CVE-2006-4145

    Colin discovered a bug in the UDF filesystem that allows local users to
    hang a system when truncating files.

CVE-2006-4535

    David Miller reported a problem with the fix for CVE-2006-3745 that allows
    local users to crash the system using via an SCTP socket with a certain
    SO_LINGER value.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

                                 Debian 3.1 (sarge)
     Source                      2.4.27-10sarge4
     Alpha architecture          2.4.27-10sarge4
     ARM architecture            2.4.27-2sarge4
     Intel IA-32 architecture    2.4.27-10sarge4
     Intel IA-64 architecture    2.4.27-10sarge4
     Motorola 680x0 architecture 2.4.27-3sarge4
     Big endian MIPS             2.4.27-10.sarge4.040815-1
     Little endian MIPS          2.4.27-10.sarge4.040815-1
     PowerPC architecture        2.4.27-10sarge4
     IBM S/390 architecture      2.4.27-2sarge4
     Sun Sparc architecture      2.4.27-9sarge4

The following matrix lists additional packages that were rebuilt for
compatibility with or to take advantage of this update:

                                 Debian 3.1 (sarge)
     fai-kernels                 1.9.1sarge4
     kernel-image-2.4.27-speakup 2.4.27-1.1sarge3
     mindi-kernel                2.4.27-2sarge3
     systemimager                3.2.3-6sarge3

We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.

Upgrade Instructions
--------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
--------------------------------


  These files will probably be moved into the stable distribution on
  its next update.

---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

© 2014-2024 Faster IT GmbH | imprint | privacy policy