1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
----------------------------------------------------------------------
Debian Security Advisory DSA-XXXX-1 security@debian.org
http://www.debian.org/security/ dann frazier
Oct 13, 2008 http://www.debian.org/security/faq
----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : denial of service/privilege escalation
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2007-6716 CVE-2008-1514 CVE-2008-3276 CVE-2008-3525
CVE-2008-3833 CVE-2008-4210 CVE-2008-4302
Several vulnerabilities have been discovered in the Linux kernel that may
lead to a denial of service or privilege escalation. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-6716
Joe Jin reported a local denial of service vulnerability that allows
local users to trigger an oops due to an improperly initialized data
structure.
CVE-2008-1514
Jan Kratochvil reported a denial of service vulnerability in the ptrace
interface for the s390 architecture. Local users can trigger an invalid
pointer dereference, leading to a system panic.
CVE-2008-3276
Eugene Teo reported an integer overflow in the DCCP subsystem that
may allow remote attackers to cause a denial of service in the form
of a kernel panic.
CVE-2008-3525
Eugene Teo reported a lack of capability checks in the kernel driver for
Granch SBNI12 leased line adapters (sbni), allowing local users to perform
privileged operations.
CVE-2008-3833
The S_ISUID/S_ISGID bits were not being cleared during an inode splice,
which, under certain conditions, can be exploited by local users to obtain
the privileges of a group for which they are not a member. Mark Fasheh
reported this issue.
CVE-2008-4210
David Watson reported an issue in the open()/creat() system calls which,
under certain conditions, can be exploited by local users to obtain the
privileges of a group for which they are not a member.
CVE-2008-4302
A coding error in the splice subsystem allows local users to attempt to
unlock a page structure that has not been locked, resulting in a system
crash.
For the stable distribution (etch), this problem has been fixed in
version 2.6.18.dfsg.1-22etch3.
We recommend that you upgrade your linux-2.6, fai-kernels, and
user-mode-linux packages.
Upgrade instructions
--------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
The following matrix lists additional source packages that were rebuilt for
compatability with or to take advantage of this update:
Debian 4.0 (etch)
fai-kernels 1.17+etch.22etch3
user-mode-linux 2.6.18-1um-2etch.22etch3
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
-------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
These changes will probably be included in the stable distribution on
its next update.
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
|