blob: f850a8ed7146f908cb007ad62a23095c71f93971 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
----------------------------------------------------------------------
Debian Security Advisory DSA-XXXX-1 security@debian.org
http://www.debian.org/security/ dann frazier
Sep 11, 2008 http://www.debian.org/security/faq
----------------------------------------------------------------------
Package : linux-2.6.24
Vulnerability : denial of service/information leak
Problem type : several
Debian-specific: no
CVE Id(s) : CVE-2008-3272 CVE-2008-3275 CVE-2008-3276 CVE-2008-3526
CVE-2008-3534 CVE-2008-3535 CVE-2008-3792 CVE-2008-3915
Several vulnerabilities have been discovered in the Linux kernel that may
lead to a denial of service or arbitrary code execution. The Common
Vulnerabilities and Exposures project identifies the following
problems:
CVE-2008-3272
Tobias Klein reported a locally exploitable data leak in the
snd_seq_oss_synth_make_info() function. This may allow local users
to gain access to sensitive information.
CVE-2008-3275
Zoltan Sogor discovered a coding error in the VFS that allows local users
to exploit a kernel memory leak resulting in a denial of service.
CVE-2008-3276
Eugene Teo reported an integer overflow in the DCCP subsystem that
may allow remote attackers to cause a denial of service in the form
of a kernel panic.
CVE-2008-3526
Eugene Teo reported a missing bounds check in the SCTP subsystem.
By exploiting an integer overflow in the SCTP_AUTH_KEY handling code,
remote attackers may be able to cause a denial of service in the form
of a kernel panic.
CVE-2008-3534
Kel Modderman reported an issue in the tmpfs filesystem that allows
local users to crash a system by triggering a kernel BUG() assertion.
CVE-2008-3535
Alexey Dobriyan discovered an off-by-one-error in the iov_iter_advance
function which can be exploited by local users to crash a system,
resulting in a denial of service.
CVE-2008-3792
Vlad Yasevich reported several NULL pointer reference conditions in
the SCTP subsystem that can be triggered by entering sctp-auth codepaths
when the AUTH feature is inactive. This may allow attackers to cause
a denial of service condition via a system panic.
CVE-2008-3915
Johann Dahm and David Richter reported and issue in the nfsd subsystem
that may allow remote attackers to cause a denial of service via a
buffer overflow.
For the stable distribution (etch), this problem has been fixed in
version 2.6.22-6~etchnhalf.5.
We recommend that you upgrade your linux-2.6.24 packages.
Upgrade instructions
--------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
-------------------------------
These changes will probably be included in the stable distribution on
its next update.
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
|
