1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
Subject: New Linux kernel 2.6.8 packages fix several issues
--------------------------------------------------------------------------
Debian Security Advisory DSA XXX-1 security@debian.org
http://www.debian.org/security/ Dann Frazier, Simon Horman
XXXXX 8th, 2005 http://www.debian.org/security/faq
--------------------------------------------------------------------------
Package : kernel-source-2.6.8
Vulnerability : several
Problem-Type : local/remote
Debian-specific: no
CVE ID : CVE-2004-1017 CVE-2005-0124 CVE-2005-0449 CVE-2005-2457 CVE-2005-2490 CVE-2005-2555 CVE-2005-2709 CVE-2005-2800 CVE-2005-2973 CVE-2005-3044 CVE-2005-3053 CVE-2005-3055 CVE-2005-3180 CVE-2005-3181 CVE-2005-3257 CVE-2005-3356 CVE-2005-3358 CVE-2005-3783 CVE-2005-3784 CVE-2005-3806 CVE-2005-3847 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4605 CVE-2005-4618 CVE-2006-0095 CVE-2006-0096 CVE-2006-0482 CVE-2006-1066
Debian Bug : 295949 334113 330287 332587 332596 330343 330353 327416
Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2004-1017
Multiple overflows exist in the io_edgeport driver which might be usable
as a denial of service attack vector.
CVE-2005-0124
Bryan Fulton reported a bounds checking bug in the coda_pioctl function
which may allow local users to execute arbitrary code or trigger a denial
of service attack.
CVE-2005-0449
An error in the skb_checksum_help() function from the netfilter framework
has been discovered that allows the bypass of packet filter rules or
a denial of service attack.
CVE-2005-2457
Tim Yamin discovered that insufficient input validation in the zisofs driver
for compressed ISO file systems allows a denial of service attack through
maliciously crafted ISO images.
CVE-2005-2490
A buffer overflow in the sendmsg() function allows local users to execute
arbitrary code.
CVE-2005-2555
Herbert Xu discovered that the setsockopt() function was not restricted to
users/processes with the CAP_NET_ADMIN capability. This allows attackers to
manipulate IPSEC policies or initiate a denial of service attack.
CVE-2005-2709
Al Viro discovered a race condition in the /proc handling of network devices.
A (local) attacker could exploit the stale reference after interface shutdown
to cause a denial of service or possibly execute code in kernel mode.
CVE-2005-2800
Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices
leak memory, which allows a denial of service attack.
CVE-2005-2973
Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code
can be forced into an endless loop, which allows a denial of service attack.
CVE-2005-3044
Vasiliy Averin discovered that the reference counters from sockfd_put() and
fput() can be forced into overlapping, which allows a denial of service attack
through a null pointer dereference.
CVE-2005-3053
Eric Dumazet discovered that the set_mempolicy() system call accepts a negative
value for it's first argument, which triggers a BUG() assert. This allows a
denial of service attack.
CVE-2005-3055
Harald Welte discovered that if a process issues a USB Request Block (URB)
to a device and terminates before the URB completes, a stale pointer
would be dereferenced. This could be used to trigger a denial of service
attack.
CVE-2005-3180
Pavel Roskin discovered that the driver for Orinoco wireless cards clears
it's buffers insufficiently. This could leak sensitive information into
user space.
CVE-2005-3181
Robert Derr discovered that the audit subsystem uses an incorrect function to
free memory, which allows a denial of service attack.
CVE-2005-3257
Rudolf Polzer discovered that the kernel improperly restricts access to the
KDSKBSENT ioctl, which can possibly lead to privilege escalation.
CVE-2005-3356
Doug Chapman discovered that the mq_open syscall can be tricked into
decrementing an internal counter twice, which allows a denial of service attack
through a kernel panic.
CVE-2005-3358
Doug Chapman discovered that passing a 0 zero bitmask to the set_mempolicy()
system call leads to a kernel panic, which allows a denial of service attack.
CVE-2005-3783
The ptrace code using CLONE_THREAD didn't use the thread group ID to
determine whether the caller is attaching to itself, which allows a denial
of service attack.
CVE-2005-3784
The auto-reaping of childe processes functionality included ptraced-attached
processes, which allows denial of service through dangling references.
CVE-2005-3806
Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable,
which could lead to memory corruption and denial of service.
CVE-2005-3847
It was discovered that a threaded real-time process, which is currently dumping
core can be forced into a dead-lock situation by sending it a SIGKILL signal,
which allows a denial of service attack.
CVE-2005-3848
Ollie Wild discovered a memory leak in the icmp_push_reply() function, which
allows denial of service through memory consumption.
CVE-2005-3857
Chris Wright discovered that excessive allocation of broken file lock leases
in the VFS layer can exhaust memory and fill up the system logging, which allows
denial of service.
CVE-2005-3858
Patrick McHardy discovered a memory leak in the ip6_input_finish() function from
the IPv6 code, which allows denial of service.
CVE-2005-4605
Karl Janmar discovered that a signedness error in the procfs code can be exploited
to read kernel memory, which may disclose sensitive information.
CVE-2005-4618
Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which
allows a denial of service attack.
CVE-2006-0095
Stefan Rompf discovered that dm_crypt does not clear an internal struct before freeing
it, which might disclose sensitive information.
CVE-2006-0096
It was discovered that the SDLA driver's capability checks were too lax
for firmware upgrades.
CVE-2006-0482
Ludovic Courtes discovered that get_compat_timespec() performs insufficient input
sanitizing, which allows a local denial of service attack.
CVE-2006-1066
It was discovered that ptrace() on the ia64 architecture allows a local denial of
service attack, when preemption is enabled.
The following matrix explains which kernel version for which architecture
fix the problems mentioned above:
Debian 3.1 (sarge)
Source 2.6.8-16sarge2
Alpha architecture 2.6.8-16sarge2
AMD64 architecture 2.6.8-16sarge2
HP Precision architecture 2.6.8-6sarge2
Intel IA-32 architecture 2.6.8-16sarge2
Intel IA-64 architecture 2.6.8-14sarge2
Motorola 680x0 architecture 2.6.8-4sarge2
PowerPC architecture 2.6.8-12sarge2
IBM S/390 architecture 2.6.8-5sarge2
Sun Sparc architecture 2.6.8-15sarge2
The following matrix lists additional packages that were rebuilt for
compatability with or to take advantage of this update:
Debian 3.1 (sarge)
kernel-latest-2.6-alpha 101sarge1
kernel-latest-2.6-amd64 103sarge1
kernel-latest-2.6-hppa 2.6.8-1sarge1
kernel-latest-2.6-sparc 101sarge1
kernel-latest-2.6-i386 101sarge1
kernel-latest-powerpc 102sarge1
fai-kernels 1.9.1sarge1
hostap-modules-i386 0.3.7-1sarge1
mol-modules-2.6.8 0.9.70+2.6.8+12sarge1
ndiswrapper-modules-i386 1.1-2sarge1
We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.
Upgrade Instructions
--------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
--------------------------------
These files will probably be moved into the stable distribution on
its next update.
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
|