1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
----------------------------------------------------------------------
Debian Security Advisory DSA-XXXX-1 security@debian.org
http://www.debian.org/security/ dann frazier
May 21, 2010 http://www.debian.org/security/faq
----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-4537 CVE-2010-0727 CVE-2010-1083 CVE-2010-1084
CVE-2010-1086 CVE-2010-1087 CVE-2010-1088 CVE-2010-1162
CVE-2010-1173 CVE-2010-1187 CVE-2010-1437 CVE-2010-1446
CVE-2010-1451
Debian Bug(s) : 573071
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2009-4537
Fabian Yamaguchi reported a missing check for Ethernet frames larger
than the MTU in the r8169 driver. This may allow users on the local
network to crash a system, resulting in a denial of service.
CVE-2010-0727
Sachin Prabhu reported an issue in the GFS2 filesystem. Local users
can trigger a BUG() altering the permissions on a locked file,
resulting in a denial of service.
CVE-2010-1083
Linus Torvalds reported an issue in the USB subsystem, which may allow
local users to obtain portions of sensitive kernel memory.
CVE-2010-1084
Neil Brown reported an issue in the Bluetooth subsystem that may
permit remote attackers to overwrite memory through the creation
of large numbers of sockets, resulting in a denial of service.
CVE-2010-1086
Ang Way Chuang reported an issue in the DVB subsystem for Digital
TV adapters. By creating a specially-encoded MPEG2-TS frame, a remote
attacker could cause the receiver to enter an endless loop, resulting
in a denial of service.
CVE-2010-1087
Trond Myklebust reported an issue in the NFS filesystem. A local
user may cause an oops by sending a fatal signal during a file
truncation operation, resulting in a denial of service.
CVE-2010-1088
Al Viro reported an issue where automount symlinks may not
be followed when LOOKUP_FOLLOW is not set. This has an unknown
security impact.
CVE-2010-1162
Catalin Marinas reported an issue in the tty subsystem that allows
local attackers to cause a kernel memory leak, possibly resulting
in a denial of service.
CVE-2010-1173
Chris Guo from Nokia China and Jukka Taimisto and Olli Jarva from
Codenomicon Ltd reported an issue in the SCTP subsystem that allows
a remote attacker to cause a denial of service using a malformed init
package.
CVE-2010-1187
Neil Hormon reported an issue in the TIPC subsystem. Local users can
cause a denial of service by way of a NULL pointer dereference by
sending datagrams through AF_TIPC before entering network mode.
CVE-2010-1437
Toshiyuki Okajima reported a race condition in the keyring subsystem.
Local users can cause memory corruption via keyctl commands that
access a keyring in the process of being deleted, resulting in a
denial of service.
CVE-2010-1446
Wufei reported an issue with kgdb on the PowerPC architecture,
allowing local users to write to kernel memory. Note: this issue
does not affect binary kernels provided by Debian. The fix is
provided for the benefit of users who build their own kernels
from Debian source.
CVE-2010-1451
Brad Spengler reported an issue on the SPARC architecture that allows
local users to execute non-executable pages.
This update also includes fixes a regression introduced by a previous
update. See the referenced Debian bug page for details.
For the stable distribution (lenny), this problem has been fixed in
version 2.6.26-22lenny1.
We recommend that you upgrade your linux-2.6 and user-mode-linux
packages.
The following matrix lists additional source packages that were
rebuilt for compatibility with or to take advantage of this update:
Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+22lenny1
Upgrade instructions
--------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
--------------------------------
Stable updates are available for X
These files will probably be moved into the stable distribution on
its next update.
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
|