linux-2.6 update

To: debian-lts-announce@lists.debian.org
Subject: linux-2.6 update
From: Holger Levsen <holger@layer-acht.org>
Date: Sat, 12 Jul 2014 21:27:10 +0200
Message-id: <[🔎] 201407122127.12235.holger@layer-acht.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : linux-2.6
Version        : 2.6.32-48squeeze8
CVE ID         : CVE-2013-4387 CVE-2013-4470 CVE-2014-0203 CVE-2014-2678
                 CVE-2014-3122 CVE-2014-3144 CVE-2014-3917 CVE-2014-4652
                 CVE-2014-4699 CVE-2015-3145 CVE-2014-4656 CVE-2014-4667

This update fixes several remote and local denial of service attacks and other 
issues:

CVE-2013-4387: ipv6: udp packets following an UFO enqueued packet need
also be handled by UFO to prevent remote attackers to cause a denial of 
service
(memory corruption and system crash) or possibly have unspecified other impact
via network traffic that triggers a large response packet.

CVE-2013-4470: inet: fix possible memory corruption with UDP_CORK and UFO to
prevent local users to cause a denial of service (memory corruption and system
crash) or possibly gain privileges via a crafted application.

CVE-2014-0203: fix autofs/afs/etc. magic mountpoint breakage, preventing 
denial
of service attacks by local users.

CVE-2014-2678: rds: prevent dereference of a NULL device in rds_iw_laddr_check
to prevent local denial of service attacks (system crash or possibly have 
unspecified other impact).

CVE-2014-3122 : Incorrect locking of memory can result in local denial of
service.

CVE-2014-3144 / CVE-2014-3145: A local user can cause a denial of service
(system crash) via crafted BPF instructions.

CVE-2014-3917: auditsc: audit_krule mask accesses need bounds checking to
prevent a local denial of service attack (OOPS) or possibly leaking sensitive 
single-bit
values from kernel memory.

CVE-2014-4652: ALSA: control: Protect user controls against concurrent access,
resulting in a race condition, possibly allowing local users access to 
sensitive
information from kernel memory.

CVE-2014-4656: ALSA: control: Make sure that id->index does not overflow, to
prevent a denial of service of the sound system by local users.

CVE-2014-4667: sctp: Fix sk_ack_backlog wrap-around problem, preventing denial
of service (socket outage) via a crafted SCTP packet by remote attackers.

CVE-2014-4699: Andy Lutomirski discovered that the ptrace syscall was not
verifying the RIP register to be valid in the ptrace API on x86_64 processors.
An unprivileged user could use this flaw to crash the kernel (resulting in
denial of service) or for privilege escalation.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: phpmyadmin security update
Next by Date: cacti security update
Previous by thread: phpmyadmin security update
Next by thread: cacti security update
Index(es):
- Date
- Thread